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EXECUTIVE SUMMARY 


An important facet of the Nation’s strategy to protect critical infrastructures from cyber attacks is 
the development of mechanisms to facilitate public and private sector information sharing about 
actual threats and vulnerabilities. To address this concern, the National Security 
Telecommunications Advisory Committee’s (NSTAC) Industry Executive Subcommittee (IES) 
formed the Information Sharing/Critical Infrastructure Protection Task Force (ISCIPTF) in 
September 1999 to focus on various information-sharing issues associated with critical 
infrastructure protection. 

Following NSTAC XXIII, the ISCIPTF addressed three new charges from the NSTAC to the 
IES. 

• Provide input to Version 2.0 of the National Plan for Information Systems Protection 
(National Plan) 

• Address barriers to infonnation sharing for critical infrastructure protection, to include 
the Freedom of Information Act (FOIA) and possible law enforcement restrictions 


• Coordinate with United States Space Command (USSPACECOM) to further develop 
means for infonnation sharing. 

The NSTAC, as part of the ongoing industry/Government partnership, has been deeply involved 
in critical industry-based analysis and recommendations related to national security and 
emergency preparedness telecommunications and associated information systems. 

The NSTAC developed a response to the National Plan, presenting an overview of its work in 
progress and a synthesis of relevant conclusions and recommendations for consideration as the 
Nation develops a strategy for critical infrastructure protection (CIP). The response is based on 
proven processes for industry/Government partnership at the technical, operational, and policy 
levels. The response maps NSTAC findings across these areas with the major CIP objectives 
outlined in Version 1.0 of the National Plan. The NSTAC concluded that bridging the gap in 
perspectives of industry and Government regarding the threat to critical infrastructures is key to 
future successful dialogue. 

Regarding potential barriers to infonnation sharing, the ISCIPTF addressed the need for 
legislation that would create a CIP exemption to FOIA. In conjunction with the NSTAC’s 
Fegislative and Regulatory Working Group, the task force reviewed elements of what would be 
effective FOIA legislation and related policy considerations. 

In addition, the task force examined possible law enforcement restrictions on industry sharing 
infonnation on network intrusions with Information Sharing and Analysis Centers or similar 
infonnation-sharing forums. In response to the ISCIPTF’s request, the NSTAC and Government 
Network Security and Information Exchanges (NSIE) investigated the issue. In working with the 
Department of Justice, the NSIEs found that although common practice discourages victims of 



such crimes from sharing infonnation, no laws or policies prohibit victims from discussing 
crimes against them even after they have reported them to law enforcement. To address the 
situation, the Department of Justice, in cooperation with the NSIEs, will work with the law 
enforcement community to implement policies that encourage victims to share such infonnation, 
and to educate victims on those policies. 

Building on NSTAC’s relationship with USSPACECOM, the ISCIPTF continued to coordinate 
with USSPACECOM representatives on critical infrastructure protection matters. 
Representatives were invited to attend task force meetings, and ISCIPTF members visited 
USSPACECOM facilities in Colorado Springs, Colorado. The task force agreed to continue to 
work with USSPACECOM to develop additional ways to share information. 



1.0 INTRODUCTION AND CHARGE 


An important facet of the Nation’s strategy to protect critical infrastructures from cyber attacks is 
the development of mechanisms to facilitate public and private sector information sharing about 
actual threats and vulnerabilities. To address that concern, the National Security 
Telecommunications Advisory Committee’s (NSTAC) Industry Executive Subcommittee (IES) 
formed the Information Sharing/Critical Infrastructure Protection Task Force (ISCIPTF) in 
September 1999 to focus on various information-sharing issues associated with critical 
infrastructure protection. 

In preparation for the May 16, 2000, NSTAC XXIII meeting, the ISCIPTF examined 
mechanisms and processes for protected, operational information sharing that would help 
achieve the goals of Presidential Decision Directive 63 (PDD-63) 1[1] and further the role of the 
National Coordinating Center for Telecommunications (NCC) as an Information Sharing and 
Analysis Center (ISAC). 2[2] In addition, the task force continued, through outreach, NSTAC 
interaction with Government leaders responsible for PDD-63 implementation. The ISCIPTF 
completed these taskings and forwarded its findings and recommendations to the NSTAC in May 
2000 . 3[3] 

Following NSTAC XXIII, the ISCIPTF addressed three new charges from the NSTAC to the 
IES: 

• Provide input to Version 2.0 of the National Plan for Information Systems Protection 
(National Plan) 

• Address barriers to infonnation sharing for critical infrastructure protection, to include 
the Freedom of Information Act (FOIA) and possible law enforcement restrictions 


• Coordinate with United States Space Command (USSPACECOM) to further develop 
means for infonnation sharing. 


1[1] White Paper, “The Clinton Administration’s Policy on Critical Infrastructure Protection: Presidential Decision Directive 63,” 
May 22, 1998. 

2p] The NCC was established in 1984 as a result of an NSTAC recommendation to develop a joint industry/Government national 
coordinating mechanism to respond to the Federal Government’s national security and emergency preparedness (NS/EP) 
communications service requirements. The NCC’s mission is to assist in the initiation, coordination, restoration, and 
reconstitution of NS/EP communications services or facilities. The NSTAC was instrumental in expanding the NCC’s 
responsibilities to include functioning as an ISAC for the telecommunications infrastructure. Established in January 2000, the 
NCC-ISAC was the second ISAC to be fonned following the promulgation of PDD-63 and the first ISAC with both industry 
and Government membership. The NCC-ISAC gathers information about vulnerabilities, threats, intrusions, and anomalies 
from telecommunications industry, Government, and other sources, and then analyzes the data with the goal of averting or 
mitigating effects on the communications infrastructure. Results are sanitized and disseminated in accordance with sharing 
agreements established by the NCC-ISAC participants. 

3[3] See the Information Sharing/Critical Infrastructure Protection Task Force Report, May 2000. 



2.0 RESULTS 


2.1 National Plan for Information Systems Protection 
Background 

PDD-63 envisions a comprehensive national strategy for critical infrastructure protection (CIP). 
The White House’s National Plan is intended as a first major element of the larger effort to 
protect the Nation’s information systems and critical assets. Version 1.0 of the plan focuses 
mainly on Federal efforts being undertaken to protect the Nation’s critical cyber-based 
infrastructures. Subsequent versions are to address a broader range of concerns, including the 
specific role industry can play in protecting physical and cyber-based infrastructures from attack. 
Input from industry—the owners and operators of most of the Nation’s infrastructures—is 
essential. 

At the May 16, 2000, NSTAC XXIII meeting, the National Coordinator for Security, 
Infrastructure Protection, and Counter-terrorism, National Security Council, asked for NSTAC 
comments on Version 1.0 of the National Plan. In response to this request, the ISCIPTF drafted 
The NSTAC’s Response to the National Plan. The report is attached as Appendix B, and its 
findings are summarized below. 

Findings 

By reviewing and synthesizing conclusions and recommendations from the NSTAC’s work in 
progress, the task force isolated key points to be considered as the Nation develops a CIP 
strategy. Specifically, the task force documented NSTAC findings related to the three broad 
objectives of Version 1.0 of the National Plan—Prepare and Prevent, Detect and Respond, and 
Build Strong Foundations—that should be reflected in Version 2.0 of the plan. In addition, the 
task force proposed that a new broad objective—International Considerations—be included in 
the next iteration of the plan. 

The task force concluded that the NSTAC’s cumulative work in the areas of critical 
infrastructure protection and infonnation assurance can serve as a baseline for intensifying the 
dialogue between industry and Government regarding the best means for protecting the Nation’s 
critical infrastructures. Key to this future discussion are the differing perspectives that industry 
and Government hold regarding the threat to critical national infrastructures. From a business 
perspective, industry in general believes it understands and is adequately mitigating the threat to 
its operations. From a national security perspective, the Government warns of an increased— 
albeit imprecisely defined—international threat to critical national infrastructures. Bridging this 
gap in perspectives can provide a foundation for future collaboration. 



2.2 


Freedom of Information Act 


In its NSTAC XXIII report, the ISCIPTF addressed FOIA and recommended that the President 
support legislation similar to the Year 2000 Information and Readiness Disclosure Act to protect 
critical infrastructure protection infonnation shared voluntarily with the Government from 
disclosure under FOIA. Subsequently, the NSTAC Chair sent a letter to the President 
emphasizing the importance of the FOIA issue. 

FOIA is considered an important issue in the CIP context because it could serve as a barrier to 
infonnation sharing. Specifically, companies may be reluctant to share CIP-related information 
with the Government if such (potentially sensitive) infonnation could be unintentionally 
disclosed through FOIA. This disclosure can occur because FOIA provides a mechanism for the 
public to access Government-maintained records. Although a number of exemptions exist to 
prevent disclosure, none clearly cover information pertaining to national security and emergency 
preparedness or CIP. 

In light of these factors, the ISCIPTF requested that the NSTAC’s Legislative and Regulatory 
Working Group investigate elements of what would be effective FOIA legislation and related 
policy considerations. 



2.3 Sharing Information on Incidents Reported to Law Enforcement 
Background 

At the May 16, 2000, NSTAC XXIII meeting, the NSTAC Principals discussed with senior 
Government officials how to improve information sharing between industry and Government 
regarding electronic intrusions into network systems and databases. One issue discussed with the 
Director, National Infrastructure Protection Center (NIPC), was whether victims of such crimes 
were prohibited by law enforcement from reporting the intrusions to ISACs or similar 
information-sharing forums. Because the Principals and the Director, NIPC, had different views 
on this issue, the NSTAC Chair suggested that the NSTAC document its concern. After 
considering the matter, the ISCIPTF requested that the NSTAC and Government Network 
Security Infonnation Exchanges (NSIE) consider the issue because of the NSIEs’ experience in 
this area. 

NSTAC NSIE representatives have noted that, historically, they do not discuss intrusions into 
their networks and systems with anyone else after reporting them to law enforcement because 
case agents told them that doing so might compromise their cases. Because the companies and 
individuals wanted to cooperate with law enforcement and did not want to risk jeopardizing their 
cases, they have honored these requests. This reluctance, however, has hindered infonnation 
sharing within the NSIEs. The NSIEs report to the ISCIPTF in connection with this issue and its 
potential effect on industry’s participation in ISACs is attached as Appendix C. Its findings are 
summarized below. 

Findings 

In working with the Department of Justice (DOJ), the NSIEs found that although common 
practice discourages victims from sharing information, no laws or policies prohibit victims from 
discussing crimes against them even after they have reported them to law enforcement. This 
discrepancy reflects a lack of understanding on the part of victims, case agents, and prosecutors 
of the benefit of sharing some information in a disciplined manner (in practice, discussing a case 
too broadly can jeopardize its successful prosecution) to prevent further crimes. An example of 
disciplined information dissemination is sharing appropriate information in appropriately 
protected forums such as the NSIEs or ISACs. 

In response to this issue, the NSIEs will document their procedures for sharing and protecting 
information and work with DOJ to communicate these procedures to the law enforcement 
community. This measure is intended to build law enforcement’s confidence that infonnation 
shared for network security purposes will be properly guarded. The NSIEs also found that it will 
be necessary for the private sector to ensure that its personnel who interact with law enforcement 
on such cases are aware that they are permitted and encouraged to share this information for 
network security purposes using appropriate mechanisms. At the same time, the Chief, 

Computer Crime and Intellectual Property Section, DOJ, will work with the law enforcement 
community to develop and implement policies that encourage victims to share such infonnation, 
and to educate victims on those policies. 



2.4 Coordination with United States Space Command 
Background 

The May 2000 NSTAC XXIII meeting was co-hosted in Colorado Springs, Colorado, by 
USSPACECOM. General Ralph Eberhart, U.S. Air Force, and Commander in Chief, 
USSPACECOM, addressed the NSTAC Principals and briefed them on USSPACECOM’s 
expanded mission. USSPACECOM incorporated the Joint Task Force for Computer Network 
Defense into its mission when it recently assumed responsibility for protecting the Department of 
Defense’s computer networks. Computer network defense is a key element to the successful 
incorporation of infonnation security, which requires layers of detection tools on computer 
systems, more frequent vulnerability assessments, increased training and certification for 
administrators, education down to the end user, stronger firewalls, and the institution of a public 
key infrastructure. 

General Eberhart attended the NSTAC XXIII meeting to facilitate communication between the 
NSTAC and USSPACECOM. He explained that USSPACECOM had completed a concept of 
operations for computer network defense and is developing the concept of operations for 
computer network attack functions. The efforts to date have focused on conducting real-world 
operations—from peacekeeping to computer virus control. General Eberhart remarked that the 
key to successful information operations is working together to understand the associated 
difficult legal, policy, and doctrine issues. He also explained that participation by industry, the 
owners and operators of the infrastructure, would be essential to the computer network defense 
mission. 

Findings 

The ISCIPTF coordinated with USSPACECOM to develop additional means of sharing 
infonnation. The task force invited command representatives to attend all task force meetings. 
Representatives from USSPACECOM attended task force meetings, and ISCIPTF 
representatives visited USSPACECOM facilities in Colorado to discuss the evolving relationship 
between the NSTAC and USSPACECOM. The task force also appointed Mr. Jon Lofstedt, 
Qwest, as liaison between the task force and USSPACECOM in Colorado. Subsequently, 
representatives from the command attended and briefed at ISCIPTF meetings and IES Working 
Sessions. 

The task force agreed that information sharing is a cornerstone of national infrastructure 
protection and concluded that efforts to share information between the NSTAC and 
USSPACECOM should continue on an ongoing basis. 
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THE NSTAC’S RESPONSE TO 
THE NATIONAL PLAN 


The National Security Telecommunications Advisory Committee (NSTAC) 1[4] Infonnation 
Sharing for Critical Infrastructure Protection Task Force developed The NSTAC’s Response to 
the National Plan to highlight the NSTAC’s work in several issue areas that are important to the 
main objectives of Version 1.0 of the National Plan for Information Systems Protection 
(National Plan). The issue areas are discussed in the context of summaries of previous NSTAC 
reports presented in Annex A: Summaries of Previous NSTAC Reports. This document is 
organized around the three broad objectives listed in the National Plan, which are essential for 
critical infrastructure protection (CIP)—Prepare and Prevent, Detect and Respond, and Build 
Strong Foundations. In addition, it is proposed that a new broad objective—International 
Considerations—be included in Version 2.0 of the National Plan. 

The NSTAC’s studies of Information and Communications (I&C) Sector Interdependencies and 
Risk Management broadly relate to the first objective of the National Plan: Prepare and Prevent. 
That objective addresses the National Plan goal of identifying critical infrastructure assets, 
shared interdependencies, vulnerabilities, and outreach programs to make Americans aware of 
the need for improved cyber-security. The second objective of the National Plan, Detect and 
Respond, connects with the NSTAC issue areas of Network Technologies and Vulnerabilities, 
Response and Recovery, and Infonnation Sharing. Detect and Respond correlates to the 
National Plan objectives to detect attacks and unauthorized intrusions, share attack warnings and 
information in a timely manner, and create capabilities for responses, reconstruction, and 
recovery. Finally, the NSTAC has examined a variety of issues concerning Research and 
Development (R&D) needs, I&C Sector Interdependencies, and Information Sharing, which 
align with Build Strong Foundations, the third objective listed in the National Plan. Build Strong 
Foundations corresponds to the National Plan’s intent to enhance CIP R&D efforts, train and 
employ adequate numbers of infonnation security specialists, and adopt legislation in support of 
CIP efforts. 

This response presents an overview of the NSTAC’s work in progress and a synthesis of relevant 
conclusions and recommendations that have been presented to the President involving issues that 
could affect national security and emergency preparedness (NS/EP) in telecommunications and 
information services. NSTAC reports from the mid-1990s forward are presented in Annex A. 
These reports relate to issues created not only by the evolving telecommunications and 
information infrastructure—from the public network (PN) 2[5] and the public-switched network 
(PSN), 3[61 through the Internet to the next-generation network (NGN) 4[7] —but also by the 


1[4] The NSTAC, established by Executive Order 12382 on September 13, 1982, comprises chief executive officers (CEO) who 
participate on a pro bono basis. The NSTAC has established the Industry Executive Subcommittee (IES) to support its 
activities. The IES, in turn, has established ad hoc task forces and working groups to address issues. The NSTAC also 
collaborates with Government through regular participation in the National Coordinating Center for Telecommunications 
(NCC), the NCC Information Sharing and Analysis Center (ISAC), and the Network Security Infonnation Exchanges (NSIE). 
See p. 4 and Annex A, p. B-16, for a discussion of the NCC, NCC-ISAC, and NSIEs. 

2 i 5 i The PN is defined as any switching system or voice, data, or video transmission system that is used to provide 

communications services to the public (e.g., public switched networks, public data networks, private line services, wireless 
systems, and signaling networks). 

3[6] The PSN is defined as any common carrier network that provides circuit switching among public users. 



changing nature of the threats from physical only to physical and cyber. Because these 
recommendations remain valid and relevant, they should be included in the National Plan. 

Above all, these findings have a more important, fundamental value because they have been 
generated by an exhaustive industry and Government infonnation-sharing process that has 
withstood the test of time. 

The NSTAC has been involved in depth with the CIP issue since its inception and continues its 
work in this area, but the NSTAC is aware that the Nation is only on the threshold of the issue. 
The NSTAC uses a fairly formal process to determine work plans, which it will develop in 
conjunction with the upcoming NSTAC XXIV meeting; however, the NSTAC could address 
future issues. The NSTAC could augment prepare, prevent, and respond with an examination of 
consequence management policy and, with this, an expansion of the roles of the National 
Coordinating Center for Telecommunications (NCC) and the Network Security Information 
Exchanges (NSIE), to include relationships with other CIP components. Although these are just 
examples, they emphasize the idea that The NSTAC’s Response to the National Plan will 
continue to be a work in progress responsive to National needs. 

This information has been shared with the I&C sector through meetings with NSTAC member 
companies and through joint meetings with the I&C sector coordinators’ representatives from the 
Information Technology Association of America, the Telecommunications Industry Association, 
and the United States Telecom Association. 

SHARED CHALLENGES 

At the outset, it is recognized that the dialogue to develop a National Plan stems from the shared 
challenges that Government and the telecommunications and infonnation-related industries face, 
albeit from different perspectives: 

• National security in today’s global environment is being defined and measured in terms 
of economic and military strength. Thus, the Nation’s well-being is highly dependent on 
the protection of the interdependent critical infrastructures as emphasized in Presidential 
Decision Directive 63 (PDD-63). 

• The Government is increasingly relying on the private sector to provide 
telecommunications and information services. This reliance necessitates a continuing 
dialogue to promote mutual understanding of industry and Government interests and 
concerns as the public and private sectors strive to meet the objectives of protecting the 
critical infrastructures through nonregulatory solutions as anticipated by PDD-63. 

• While Government is focusing on protecting national security, preventing future attacks, 
and identifying and punishing attackers, private owners of infrastructures are more 
concerned with common business imperatives. As a result of this dichotomy, any 


The NGN is a public, broadband, diverse, and scalable packet-based network evolving from the PSN, the advanced 
intelligent network (AIN), and the Internet. The NGN is characterized by a core fabric enabling network connectivity and 
transport with periphery-based service intelligence. 




solution to, or recommendations for, the protection of critical infrastructures require the 
participation of private industry in concert with Government. 


• The Telecommunications Act of1996 is opening the telecommunications industry to 
increased competition and interconnection, industry consolidation and integration, and 
foreign ownership at the same time that new service providers are gaining access to 
network facilities. Security measures are consequently becoming even more complicated 
and difficult to implement. 

• The evolution to the NGN is enabling and requiring telecommunications providers to 
transition from proprietary protocols to open-system protocols to manage their networks. 
Concurrently, traditional circuit-switched services are migrating to the Internet’s 
packet-switched networks. As this migration continues and new Internet services are 
introduced, the PN may become more susceptible to well-known Internet vulnerabilities, 
especially in light of the more integrated and increasing dependence on commercial off- 
the-shelf technology. 

• The assurance and full protection of American citizens’ civil liberties, their rights to 
privacy, and their rights to the protection of proprietary data should be affirmatively 
addressed in CIP planning. 

ADDRESSING THE BROAD OBJECTIVES OF THE NATIONAL PLAN 

In this response, which focuses on efforts that the Federal Government is undertaking to protect 
the Nation’s critical infrastructures, it should be noted that NSTAC recommendations have 
already been made to the President concerning many of the programs upon which the Plan’s 
three broad objectives are based—Prepare and Prevent, Detect and Respond, and Build Strong 
Foundations. This timeliness exists because many of the issues associated with the National 
Plan’s programs have been—or are being—addressed in the NSTAC process, 5 ™ either in 
response to an Administration request, as is the case with the assessment of the potential for a 
widespread outage due to network convergence, 6 ™ or in anticipation by member companies of an 
issue or development that could affect NS/EP telecommunications services. These issues are 
discussed under different headings in Annex A. 

NATIONAL PLAN OBJECTIVES: PREPARE AND PREVENT 

A long-standing goal of the NSTAC has been to take steps to minimize the possibility of a 
significant and successful attack on the Nation’s critical telecommunications and information 
infrastructure and to build an infrastructure that remains effective in the face of such an attack. 
Indeed, the NSTAC in 1984 recommended that the NCC be established as a national 
coordinating mechanism to respond to the Federal Government’s NS/EP communications 


5 ™ The NSTAC’s work is based on a process that enables the formation of interdisciplinary task forces to focus on issues that 
require timely operational, technical, policy, and regulatory analysis and recommendations. 

6 ™ Convergence indicates a process over a 3- to 5-year period of NGN evolution during which traditional circuit-switched 
networks (including AIN) and Internet protocol (IP)-based data networks will coexist and interoperate to enable end-to-end 
transmission of voice communications, until IP-based networks subsume circuit-switched networks. 



service. The NSTAC also initiated the development of the NSIE process in 1991 to provide a 
forum in which industry and Government could share information with the goal of reducing the 
vulnerability of the Nation’s telecommunications systems to electronic intrusion. 7[10] 

Industry in general is recommending that physical security be included in Version 2.0; it was not 
included in Version 1.0. However, the primary focus of the NCC in the 1980s was on physical 
threats—an emphasis that was consistent with the Government’s overall focus, at the time, on the 
security of important physical structures, such as dams, bridges, tunnels, and power plants. 8[11] 

As demonstrated in the following text, the focus consequently has broadened from assessments 
of physical threats leading to service outages to the inclusion of assessments of the threats or 
risks of unauthorized intrusions of the PN and vulnerabilities associated with network 
convergence. Concurrently, methodologies for conducting these assessments have been 
developed and refined to accommodate technological change. 

PN Assessments. Assessments were conducted in 1995 9[12] and 1999 10[13] with respect to 
unauthorized penetration or manipulation of the evolving PN software and databases affecting 
NS/EP telecommunications services. 

• Both assessments found that Government and corporate networks had become more 
interconnected as these organizations have increasingly relied on the PN to transmit 
critical business and operations information, thereby increasing the perceived and 
substantive rewards for gaining illicit access. 

• The most recent assessment concluded that absent a valid baseline to establish 
quantitative measures of the risk to the PN from electronic intrusion, it was difficult to 
definitively state how risk had changed over the past few years. Indeed, little evidence 
suggests that the risk has diminished, and numerous factors suggest that it is growing. 

Internet Assessments. In 1999, the Government’s use of the Internet 111141 was assessed in 
parallel with its increasing reliance on the Internet for conducting electronic commerce (e- 
commerce). 12[15] Many of the significant findings in those assessments were similar: 

• Agencies with NS/EP responsibilities are using the public Internet mostly for outreach, 
information sharing, and e-mail. Direct dependence on the public Internet for 
mission-critical operations and e-commerce is currently modest, although the NS/EP 
community’s dependence on the Internet is likely to grow over the next several years. 


7[10] See Annex A, p. B-16, for a discussion of the development of the NCC and the NSIEs. 

S[11] National Plan Version 1.0, Executive Summary, p. xviii. 

9[12] See Annex A, p. B-23, for summary of Government and NSTAC NSIE: An Assessment of the Risk to the Security ofPublic 
Networks. 

10[13 1 See Annex A, p. B-23, for summary of Government and NSTAC NSIE: An Assessment of the Risk to the Security of the 
Public Network. 

11[14] See Annex A, p. B-25, for summary of An Examination of the NS/EP Implications of Internet Technologies. 

12[15] See Annex A, p. B-27, for summary of NS/EP Implications of Electronic Commerce Report. 



Government will more likely depend on dedicated intranets for mission-critical 
operations. 


• The informal and distributed management of Internet functions, the Domain Name 
System, Internet software, and procedural errors and unintentional actions invite potential 
vulnerabilities. Because of the interconnected nature of the public Internet, a disruption 
or degradation of Internet operations could also hamper the operations of dedicated 
intranets. 

• The reliability and security of the public Internet are generally considered inadequate for 
NS/EP mission-critical functions and sensitive e-commerce transactions. So far, no 
Internet technologies or applications facilitate the same type of end-to-end NS/EP-related 
services available in the PN. Nor are there economical incentives for Internet service 
providers (ISP) to develop and offer NS/EP service enhancements over their networks. A 
number of factors (e.g., lack of NS/EP demand and market factors) preclude the 
availability of NS/EP services over the Internet for the foreseeable future. 

Accordingly, the following recommendations were made to the President: 

• Direct the establishment of a permanent program to address NS/EP issues related to the 
Internet. The program should work with the NS/EP community to increase the 
understanding of evolving Internet dependencies and with key Internet organizations and 
standards bodies to increase awareness of NS/EP requirements. 

• Designate a focal point for examining the NS/EP issues related to widespread adoption of 
e-commerce within the Government, and direct the Federal departments and agencies, in 
cooperation with this Federal focal point, to assess the effect of e-commerce technologies 
on their NS/EP operations. 

Convergence Assessments. The implications of the PSN-Internet technical convergence and of 
the transfer of traffic from the PSN to the NGN on the Government’s voice priority NS/EP 
services are under continuing examination. Specific attention is being paid to potential impacts 
on the Government Emergency Telecommunications Service (GETS) 13[16] and 
Telecommunications Service Priority (TSP) 14[17] programs. A mid-2000 assessment reached a 
number of conclusions, including— 15[18] 

• As the PN changes from separate switched-voice and packet-data networks to an 
interconnected network and then to a unified NGN over the next several years, the 
capabilities in the PN around which GETS has been designed, such as ubiquity and 
interoperability, access to NS/EP functional features, and high levels of network 
reliability and security, will no longer be available. To maintain GETS-type functions, 


i3[i(i] Qg’pg provides NS/EP users priority access to and specialized processing for NS/EP calls in local and long distance 
networks. 

14[ 17 1 The TSP Program is the regulatory, administrative, and operational framework for the priority provisioning and restoration 
of any qualified NS/EP telecommunications service. 

15[18] See Annex A, p. B-28, for summary of Information Technolog}’ Progress Impact Task Force Report on Convergence. 



new quality-of-service schemes and functional requirements will have to be developed to 
provide services commensurate with NS/EP needs and security safeguards. 


• TSP, as originally conceived, remains relevant during convergence because restoration 
assignments can still be applied to identifiable segments of the PSN. But, as discussed by 
the program’s Oversight Committee, the program is inapplicable to ISPs offering voice 
services; it should not have a role in the NGN. And if the NS/EP community requires 
similar types of priority services for packet networks, a new program will have to be 
established to support them. 

• Although specific NGN standards have not yet been developed to support NS/EP 
requirements, the NGN technology can support them. Nonetheless, these requirements 
are unlikely to be incorporated by industry unless the features needed to meet them are 
standardized by industry, perhaps with prompting from the Government. 

It has been recommended that the appropriate departments and agencies, in coordination with 
industry, be directed by the President to promptly detennine precise functional NS/EP 
requirements for convergence and the NGN, and to ensure that relevant NS/EP functional 
requirements are conveyed to standards bodies and service providers during standards 
development and implementation. 

Widespread Network Outage Assessments. The Administration continues to request 
assessments regarding the possibility of a widespread service outage in the PN, particularly in 
light of increasing convergence. 

In April 1997, the Assistant to the President for Science and Technology requested an 
assessment of the possibility of a widespread service outage in the public telephone network. 16[19] 
An initial response in December 1997 17[20] and a follow-up response 9 months later— I8[21] 

• Defined widespread outage as “a sustained interruption of telecommunications service 
that would have strategic significance to government, industry, and the general public. 
Such an outage would likely affect the telecommunications service in at least one region 
of the country, including at least one major metropolitan area. It would involve multiple 
carriers, affecting both long-distance and local service, and significantly degrade the 
ability of other essential infrastructures to function. Such an outage would affect the 
availability and integrity of telecommunications service for at least a significant portion 
of a business day.” 

• Concluded that, given the limited precedent for telecommunications outages of this 
magnitude and member companies’ prior experiences with smaller-scale outages, there is 
a low probability of a widespread, sustained outage of public telephone service; however, 
the potential societal impacts of such an outage are high enough to warrant consideration. 


April 24, 1997, letter from Dr. John Gibbons, Assistant to the President for Science and Technology, to Mr. Charles Lee, 
NSTAC Chair, concerning the possibility of a widespread outage affecting the public telephone network. 

17[20] See Annex A, p. B-33, for summary of Widespread Outage Subgroup Report, 1997. 

18[21] See Annex A, p. B-33, for summary of Widespread Outage Subgroup Report, 1998. 



• Offered recommendations to the President intended to decrease the overall probability of 
a widespread outage, including improving intercarrier coordination for widespread outage 
recovery; clarifying who has the authority to resolve legal and regulatory impediments to 
the rapid and orderly restoration of service during such outages. These recommendations 
also encourage the Federal Communications Commission (FCC) to (a) ensure that local 
number portability (LNP) national standards and requirements, including NS/EP, are 
agreed upon and adhered to before implementing LNP on a widespread basis; (b) allow 
sufficient time to complete reliability, interoperability, and security testing of new 
services and products before implementing regulatory mandates; and (c) urge established 
entities and newer entrants to adhere to and help develop industry standards and best 
practices. 

A fresh look is now being taken at the possibility of a widespread outage in the converging 
network environment in response to an October 2000 request by the Assistant to the President for 
Science and Technology. I9[22] Among the questions to be answered are (1) How should existing 
NSTAC, National Communications System (NCS)/NCC, and other private and Government 
organizations evolve with the networks to ensure a quick, organized, and technically competent 
response in the case of a widespread outage? (2) What reasonable steps could the Government 
take to help the NSTAC, and industry in general, better prepare to react to a widespread outage 
in these networks? The preliminary analysis of NS/EP telecommunications in a converged 
network environment focused on its relative immaturity when compared with the legacy PSN. 
According to this analysis, NS/EP communications should utilize the converged network, but 
until complete confidence is established, the community should not rely exclusively on services 
based on converged networks. A formal interim report will be presented at the NSTAC XXIV 
meeting in June 2001. 

Cross-Sectoral Assessments. An initial cross-sectoral assessment was undertaken in 1993 when 
an NSTAC Energy Task Force addressed the telecommunications electric service priority and 
national energy strategy review. 20[23] In January 1995, the Director of the National Security 
Agency briefed the NSTAC on threats to U.S. information systems and the need to improve the 
security of critical national infrastructures. In March, the NSTAC advised the President that 
“[the] integrity of the Nation’s infonnation systems, both government and public, are 
increasingly at risk to intrusion and attack . . . other national infrastructures . . . [such as] finance, 
air traffic control, power, etc., also depend on reliable and secure information systems, and could 
be at risk.” 21[24] Four months later, President Clinton “welcomed” the Advisory Committee’s 
continuing efforts to work with the Administration in this area and asked for “input from the full 
range of national information infrastructure users” to assess the NS/EP requirements for the 
Nation’s rapidly evolving information infrastructure. 22[25] Shortly thereafter, Presidential 


19[2i] October 24, 2000, letter from Dr. Neal Lane, Assistant to the President for Science and Technology, to Mr. Daniel 
Burnham, NSTAC Chair, concerning the possibility of a widespread outage of the converged network and NGN. 

20[23] Energy Task Force Report, NSTAC XV, May 1993. More recently, the Network Reliability and Interoperability Council 
has adopted the telecommunications electric service priority recommendation as part of its best practices. 

21[24] March 20, 1995, letter from Mr. William Esrey, NSTAC Chair, to President Clinton, regarding the security of the national 
infonnation infrastructure (Nil). 

22[25] July 7, 1995, letter from President Clinton to Mr. William Esrey, NSTAC Chair, regarding the security of the Nil. 



Decision Directive 39 was released. It directed the Attorney General to lead a govemmentwide 
effort to reexamine the adequacy of the Nation’s infrastructure protection. 23[26] 


Building on the methodology developed by the Government and the NSTAC in the earlier risk 
assessments to the PN, information assurance (IA) risk assessments were conducted for the 
electric power infrastructure in March 1997, 24[27] financial services in December 1997, 25[28] and 
transportation in June 1999. 26[29) Extensive outreach was conducted with each of the sectors, and 
each infrastructure’s dependency on infonnation technology and the associated IA risks to its 
information systems were examined. Follow-up recommendations were sent to the President, 
many of which remain valid, and some of which appear applicable to other critical 
infrastructures. It is recommended that these assessments be referenced in the National Plan as 
models for developing sector-specific assessments. 

NATIONAL PLAN OBJECTIVES: DETECT AND RESPOND 

Identifying and assessing an attack in time, and then containing the attack, quickly recovering 
from it, and affecting reconstitution requirements—the stated purpose of this objective—are 
functions presently being carried out by the NCC. 

The NCC Information Sharing and Analysis Center (ISAC). Established in 1984 to assist in 
the initiation, coordination, restoration, and reconstitution of NS/EP communications facilities 
and services, this coordinating mechanism’s functions have since evolved in response to changes 
in technology and in the nature of threats to the telecommunications and infonnation 
infrastructures. As previously discussed, the NCC’s initial focus was on physical threats. 

In response to a request from the Manager, NCS in 1997, the NCC developed an indications, 
assessment, and warning response capability and began perfonning an electronic-intrusion 
incident-information processing function. During 1999, the NSTAC determined that the NCC 
was perfonning the primary functions of an ISAC for the telecommunications sector and 
recommended that industry and Government establish it as such. In January 2000, the National 
Security Council recognized the NCC as an ISAC; 27[30] and in March 2000, the NCC began initial 
operations as an ISAC for the telecommunications sector. 281311 In this new role, the NCC-ISAC 
gathers infonnation about vulnerabilities, threats, intrusions, and anomalies from the 
telecommunications industry, Government, and other sources, and then analyzes the data with 
the goal of averting or mitigating effects on the communications and infonnation infrastructures. 
Results are sanitized and disseminated in accordance with infonnation-sharing agreements 
established by the NCC-ISAC participants. Cross-sector infonnation sharing is also being 
explored. 


231261 U.S. Policy on Counterterrorism: PDD-39, July 21, 1995. 

241271 See Annex A, p. B-20, for summary of Electric Power Information Assurance Risk Assessment. 
i5[281 See Annex A, p. B-21, for summary of Financial Services Risk Assessment Report. 

261291 See Annex A, p. B-22, for summaries of Interim Transportation Information Risk Assessment Report and Transportation 
Information Assurance Risk Assessment Report. 

27[30] January 18, 2000, letter from Mr. Richard Clarke, National Coordinator for Security, Infrastructure Protection and Counter¬ 
terrorism, to Mr. Art Money, Assistant Secretary of Defense for Command, Control, Communications, and Intelligence 
regarding the designation of the NCC as an ISAC. 

281311 See Annex A, p. B-39, Attachment A, National Coordinating Center for Telecommunications. 



In a dry run as an IS AC, the NCC served as the telecommunications sector’s focal point for the 
Nation’s Year 2000 (Y2K) activities. The findings and recommendations and lessons learned 
should prove helpful to other infrastructures as they develop their own ISACs. 291321 

The NSIE Forum. The previously referenced NSIE process provides yet another capability for 
industry and Government sharing of sensitive information to further help reduce the vulnerability 
of the Nation’s telecommunications systems to electronic intrusion. However, whereas the NCC 
focuses on near real-time operational response to all-hazards, the NSIEs’ focus on post-event 
analysis of threats to and vulnerabilities of networks. 

NATIONAL PLAN OBJECTIVE: BUILD STRONG FOUNDATIONS 

This objective identifies “things we must do as a Nation to create and nourish the people, 
organizations, laws and traditions which will make us better able” to address the other two broad 
objectives—Prepare and Prevent, and Detect and Respond—to attacks on the critical infonnation 
and communications sector. 

Enhancement of R&D. The NSTAC has a long-standing interest in enhancing CIP-related 
R&D. Through its own studies and through public R&D exchanges among industry, 
Government, and academia, topics requiring study and funding have been affirmed and 
reaffirmed. The R&D Exchanges held in 1991, 1996, 1998, and 2000 are illustrative of the 
NSTAC’s outreach activities to improve cyber-security. More are likely to be held in the future. 
The NSTAC voiced numerous concerns that have yet to be resolved, 301331 particularly— 

• The lack of an overarching national technology policy that articulates a vision with 
respect to Federal intrusion detection R&D. 

• The need for R&D focus on the network and infrastructure levels and on the 
establishment of testbeds and laboratories to develop standards, metrics, and testing 
procedures. 

• The need to educate and train employees on recognizing intrusion and heightening their 
awareness of the risks posed by electronic intrusion. This need complements the 
National Plan’s Outreach Program to Make Americans Aware of the Need for Improved 
Cyber-Security. 

The need exists to offset the high costs and high risks associated with R&D in security 
technology (i.e., tax credits and other financial incentives might allow companies to minimize 
their risks and encourage commercial enterprises to increase the funding of security technology 
R&D). 

During the two most recent R&D Exchanges, representatives from the academic sector played 
major roles. Their contributions are reflected in many of the recommended areas for R&D. 311341 


291321 See Annex A, p. B-35, Information Sharing/Critical Infrastructure Protection Task Force Report. 
301331 See Annex A, p. B-41, for summary of NSTAC R&D Exchange Proceedings. 

311341 See Annex A, p. B-41, for summary of NSTAC R&D Exchange Proceedings. 



Two of the recommendations complement the Federal National Plan’s program to Train and 
Employ Adequate Numbers of Information Security Specialists: 


• IA Centers of Excellence in academia should be supported and new ones established. 

• Programs to create financial incentives for students to pursue computer security 
disciplines at the graduate and undergraduate levels need to be implemented, such as the 
Scholarship for Services Program under the Federal Cyber Service initiative. Current 
programs, rather than remaining concentrated on “respond and react” technologies, 
should consider the full range of risk management needs. 

A third recommendation suggests that in seeking to build security solutions, it is vital to conduct 
research activities in other areas, such as operations, legal and public policy, and human factors. 

Legislative Initiatives. Even though the NCC-ISAC is functioning, participants continue to 
express concerns about the legal and regulatory barriers to voluntary information sharing, which 
is a linchpin of CIP. 

Foremost among the legal impediments is the Freedom of Information Act (FOIA), recognized 
from the outset as a barrier to voluntary information sharing. In preparation for the Y2K roll¬ 
over, the NSTAC recommended to the President that the then-pending Y2K Information and 
Readiness Disclosure Act be supported. 32[35] The legislation, which was enacted into law (Public 
Law 105-271), included a provision that information voluntarily shared with the Government is 
to be treated as part of a “special data gathering” and is therefore exempt from disclosure under 
FOIA. During the last session of Congress, the NSTAC wrote to the President and 
recommended support of FOIA legislation, similar to that in the Y2K legislation, relative to 
information voluntarily shared for CIP. 33[36] However, some member companies believe that 
many issues still need to be addressed and/or clarified in any new FOIA proposal. 

Nevertheless, eliminating this barrier is just one of many issues that need resolution, in 
particular, antitrust, liability, the treatment of classified information and national security 
concerns, State government liability disclosure, and protection of trade secrets and proprietary 
information. Industry/Govemment dialogue in this area is needed. 

Impediments to Information Sharing. Other barriers to infonnation sharing should be 
addressed in the National Plan. The Government should review infonnation sharing that is 
taking place in addition to that in the ISACs. Industry is presently being asked to share 
information, much of it the same, with Government through several other channels. Some 
companies may be reluctant to share information lest it be used to gain competitive advantage; 
individual participants may be reluctant as well. The voluntary infonnation-sharing processes of 
the NCC and the NSTAC NSIE have proven successful on a company disclosure basis. In other 
cases, remedies may include developing pertinent nondisclosure agreements among the 


32[35] September 18, 1998, letter from Mr. Van B. Honeycutt, NSTAC Chair and CEO, Computer Sciences Corporation, to the 
President that recommending the President support the Y2K Information and Readiness Disclosure Act. 

33[36] August 7, 2000, letter from Mr. Van B. Honeycutt, NSTAC Chair and CEO, Computer Sciences Corporation, to the 

President recommending that the President support legislation similar to the Y2K Information and Readiness Disclosure Act. 



participants. Anonymity-based processes are starting to prove successful for larger groups. 
These factors should be taken into account in the development of ISACs. 


PROPOSED NEW BROAD OBJECTIVE: INTERNATIONAL CONSIDERATIONS 

Soon after the release of An Agenda for Action in the early 1990s, 34[37] the Government started 
focusing on developing and expanding the global infonnation infrastructure (GII). Most 
recently, the NSTAC examined globalization. 351381 The wide range of issues addressed included 
the current and future nature of the GII and the impact of the GII on NS/EP communications in 
2010, the foreign ownership of NS/EP critical communications services systems, and technology 
export policies. Although no international issues were raised in Version 1.0, it is proposed that a 
new broad objective—International Considerations—be included in Version 2.0, as well as the 
following conclusions: 

• Global Broadband Capabilities. NS/EP telecommunications capabilities in 2010 should 
be facilitated by a GII featuring new technologies and improved network features and by 
increased global availability of broadband communications, with satellite 
communications and wireless technologies bringing the GII and NS/EP communications 
to less accessible geographic regions. However, there is no guarantee that all essential 
communications capabilities will be ubiquitously available. It has been recommended to 
the President that prudent NS/EP communications contingency planning consider 
end-to-end systems using a broad range of wireless, satellite, and terrestrial capabilities, 
including operational tests. New technical and operational issues, including use of 
foreign Internet protocol-based networks and NGN will likely need to be considered. 

• Foreign Ownership. Increased foreign ownership and/or control of critical U.S. 
telecommunications facilities through which NS/EP services are provided is a significant 
development. However, the current regulatory structure, including the regulatory review 
process established by the FCC, appears to be effectively accommodating the increasing 
levels and types of foreign ownership of U.S. facilities, while allowing the Government 
to retain the authority to prevent any such ownership from compromising national 
security interests. A Cabinet-level interagency committee—the Committee on Foreign 
Investments in the United States—provides additional oversight in proposed mergers, 
acquisitions, or joint ventures involving a foreign entity. On the foregoing basis, it has 
been recommended to the President that this review process remain adequate to protect 
NS/EP concerns. 

• Export Controls. Technology export policies dealing with the transfer of strong 
encryption products, satellite technology, and high-perfonnance computers are critical 
issues. But given that technology progresses faster than policy, industry and Government 
should continually evaluate the limits placed on technology exports. 


341371 An Agenda for Action, September 15, 1993. 

351381 See Annex A, p. B-44, for summary of Globalization Task Force Report. 



CONCLUSIONS 


No technology has been more responsible for the dramatic changes to the Nation’s 
infrastructures than the technologies associated with the I&C sector. As the Nation and the 
Government become even more dependent on the telecommunications and information 
infrastructure, the role of NSTAC as an advisory body is taking on new dimensions. The cited 
reports, upon which this submission is based, can serve as a baseline for intensifying the 
dialogue as well as illustrating the type of analytic support the NSTAC’s task force oriented 
process can provide. Specifically, we encourage the I&C sector, individual companies, and 
Government to continue to work together to— 

• Protect the Nation’s critical infrastructures 

• Further the dialogue establishing a National Plan. 

This dialogue should include discussion of one of the previously stated “Shared Challenges” (see 
p. B-2) that involves the different perspectives that industry and Government have regarding the 
threat to critical infrastructures. On the whole, industry believes it understands and is adequately 
mitigating the threat to its operations. At the same time, the Government has referred to an 
increased, hostile international threat to the critical national infrastructures. However, this threat 
is unclear. Without a clear and present danger, it is difficult for industry to justify spending 
additional dollars for augmenting protection of its systems. 

Thus, beginning immediately, and at a minimum, the new Administration must continue the 
dialogue with industry and engage the NSTAC to cooperate on NS/EP issues critical to the 
Nation. Attendance by the President and members of his new Administration at NSTAC XXIV 
in June 2001 is key to resolving future issues. This meeting will provide an opportunity for the 
President to frame and present his agenda for the ongoing issues of the NSTAC. 
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INTRODUCTION 
Purpose of This Document 

This Annex supplies supplemental information, from previous reports of the President’s National 
Security Telecommunications Advisory Committee (NSTAC), 1[39] to The NSTAC’s Response to 
the National Plan. As a whole, this document provides a guide to what the NSTAC believes are 
important points for consideration as the Nation develops a strategy for critical infrastructure 
protection (CIP). Because the environment has changed since many of the summarized studies 
were completed, the document’s value should be understood in terms of the relevancy of the 
NSTAC’s cumulative thinking and collective lessons learned to ongoing efforts. No new 
recommendations are offered. As an informational document, it is intended to demonstrate how 
the NSTAC process has worked to yield insights that can provide the basis for future actions. 

Overview of the NSTAC 

The President created the NSTAC by Executive Order 12382 in September 1982 to provide a 
unique source of national security and emergency preparedness (NS/EP) communications policy 
expertise. For more than 18 years, the NSTAC has advised the President on issues pertaining to 
the reliability and security of telecommunications and the information infrastructure—issues that 
are critical to America’s security and commercial interests. Today, the NSTAC is recognized as 
a model for industry and Government collaboration. Its record of accomplishments includes 
substantive recommendations to the President, leading to enhancements of the Nation’s NS/EP 
telecommunications and related information systems posture. Enhancements in the form of 
operational programs and policy solutions benefit both industry and Government as the Nation’s 
security requirements and information infrastructure evolve. 

The principal NSTAC working body is the Industry Executive Subcommittee (IES). The IES 
meets regularly to identify issues, undertake analyses, and consider recommendations for 
presentation to the NSTAC. The IES fonns ad hoc task forces to address specific policy, 
operational, or technical issues that require further substantive examination. This flexible 
working structure allows the NSTAC to proactively investigate issues as changes occur in the 
broader policy, technological, regulatory, business, and threat environments. 

The NSTAC also collaborates with the Government through regular participation in the National 
Coordinating Center for Telecommunications (NCC), including its Infonnation Sharing and 
Analysis Center (ISAC) component, and the Network Security Information Exchange (NSIE) 
process. 


1[39] Copies of reports can be obtained via the World Wide Web at www.yics.sov or from the Office of the Manager, National 
Communications System, Customer Service Division. 




The NCC was established in 1984 as a result of an NSTAC recommendation to develop a joint 
industry and Government national coordinating mechanism to respond to the Federal 
Government’s NS/EP communications service requirements. The NCC’s mission is to assist in 
the initiation, coordination, restoration, and reconstitution of NS/EP communications services or 
facilities. Currently, 15 NSTAC member companies are represented in the NCC. 

The NSTAC was instrumental in fonnalizing the NCC’s responsibilities to include functioning 
as an ISAC for the telecommunications infrastructure. Designated as an ISAC in January 2000, 
the NCC-ISAC was the second ISAC to be formed following the promulgation of Presidential 
Decision Directive 63 (PDD-63) and the only ISAC with industry and Government membership. 
The NCC-ISAC gathers information about vulnerabilities, threats, intrusions, and anomalies 
from the telecommunications industry, Government, and other sources. The NCC-ISAC then 
analyzes the data with the goal of averting or mitigating effects on the communications 
infrastructure. Results are sanitized and disseminated in accordance with sharing agreements 
established by the NCC-ISAC participants. 

In 1991, the NSTAC, working with the National Communications System, recommended 
establishing an industry and Government partnership to reduce the vulnerability of the Nation’s 
telecommunications systems to electronic intrusion. To that end, the NSIE process was 
established as a forum in which industry and Government could share information in a trusted 
and confidential environment. The NSIE process continues to function today, demonstrating that 
industry and Government will share sensitive security infonnation if they find value in doing so. 
In 1998, PDD-63 called for the establishment of similar infonnation-exchange forums to reduce 
vulnerabilities in all critical infrastructures. 

Background on NSTAC Activities As They Relate to Critical Infrastructure Protection and 
Information Assurance 

The NSTAC has directly addressed infonnation assurance (IA) and CIP issues since 1995. At 
the January 16, 1995, NSTAC XVII meeting, the Director of the National Security Agency 
briefed the NSTAC Principals on threats to U.S. infrastructures. In the ensuing months, the 
NSTAC sponsored several meetings with representatives from the national security community, 
law enforcement, and civil departments and agencies to discuss infonnation warfare (defensive) 
and IA issues. At the May 15, 1995, NSTAC IES working session, the members established the 
Infonnation Assurance Task Force (IATF) to serve as a focal point for IA issues. More 
specifically, the IES charged the IATF to work with the U.S. Government to identify critical 
national infrastructures and their importance to the national interest, schedule elements for 
assessment, and propose IA policy recommendations to the President. 

The IATF worked closely with industry and Government representatives to identify critical 
national infrastructures and ultimately selected three for study—electric power, financial 
services, and transportation. To address the distinctive characteristics of those infrastructures, 
the IATF established three risk assessment subgroups to examine each infrastructure’s 
dependence on infonnation technology and the associated IA risks to its infonnation systems. 
Following NSTAC XIX, March 18, 1997, the IES renamed the IATF the Information 



Infrastructure Group (IIG) and gave it the mission to continue acting as the focal point for 
NSTAC IA and infrastructure protection issues. 


The IIG worked closely with the President’s Commission on Critical Infrastructure Protection 
and other Federal organizations concerned with examining physical and cyber threats to the 
Nation’s critical infrastructures. Federal efforts to examine IA/CIP issues culminated with the 
release of presidential policy guidance—PDD-63. Recognizing that those infrastructures are 
predominantly owned and operated by the private sector, PDD-63 envisions the creation of a 
public-private partnership that is “genuine, mutual, and cooperative” to facilitate the elimination 
of vulnerabilities in the Nation’s critical infrastructures. Subsequently, PDD-63 implementation 
became a focal point for the IIG’s activities. 

Applying its years of experience in joint industry and Government planning, the NSTAC 
initiated a dialogue with senior Administration officials on issues related to IA/CIP policy and 
the implementation of PDD-63. A key element was the need for public-private partnerships to 
address infrastructure vulnerabilities. Specifically, the NSTAC offered lessons learned in 
building joint mechanisms like the NCC and the Government and NSTAC NSIE. The IES, 

NCC, and NSIE provide the mechanisms and procedures for industry to address NS/EP 
telecommunications and information technology issues at the policy, operational, and technical 
levels, respectively. The NSTAC also presented to the President its recommendations having 
applicability to PDD-63, including recommendations regarding an Infonnation Systems Security 
Board (ISSB) 2[40] and the National Coordinating Mechanism (NCM) 3[41] concept. 

NSTAC advice to the President and collaboration with the Administration have had significant 
applicability to PDD-63 implementation. PDD-63 directs Federal lead agencies to identify 
infrastructure sector coordinators within industry to provide perspective on CIP programs. At 
NSTAC XXI in September 1998, the NSTAC concluded that more than one entity or sector 
coordinator would be required to represent the diverse Infonnation and Communications (I&C) 
sector. In February 1999, following IES outreach to the Administration on the issue, the 
Department of Commerce acted in concert with NSTAC advice and selected three industry 
associations—the Infonnation Technology Association of America, the Telecommunications 
Industry Association, and the United States Telecom Association—to serve as sector 
coordinators for the I&C sector. 


^ 40] In 1997, the NSTAC finalized the concept and model for an ISSB—a private sector entity intended to improve the common 
understanding of the nature and purpose of infonnation systems security. The ISSB would promote information systems 
security principles and standards to improve the reliability and trustworthiness of commercial information products and 
services. 

3[41] In 1997, the NSTAC revisited its earlier concept for an industry/Government mechanism to coordinate planning, 
infonnation sharing, and resources in response to NS/EP requirements. Unlike the original NCM plan that applied to the 
telecommunications infrastructure (and which led directly to the establishment of the NCC in 1984), the revised NCM concept 
involved linking all of the Nation’s critical infrastructures (e.g., telecommunications, financial services, electric power, 
transportation). 



PDD-63 also calls for the private sector to explore the feasibility of establishing one or more 
ISACs. On the basis of the December 1997 NSTAC XX recommendation regarding a 
cross-infrastructure NCM, IES representatives engaged in a dialogue with senior Administration 
officials on the prospects of creating multiple infrastructure-based ISACs. That dialogue was 
important to the eventual decision to recognize the NCC as an ISAC for telecommunications. 
Subsequently, several sector-specific ISACs were created. 

Finally, PDD-63 emphasizes the importance of relying on nonregulatory solutions to address 
infrastructure vulnerabilities. In satisfying this objective, the Administration has underscored the 
value of promoting industry standards and best practices to improve IA. That approach is 
consistent with, and follows on, the December 1997 NSTAC XX recommendation regarding the 
creation of an IS SB—a private sector entity intended to promote information systems security 
principles and standards to improve the reliability and trustworthiness of infonnation products 
and services. 

At the June 9, 1999, NSTAC XXII meeting, the National Coordinator for Infrastructure Protection, 
Security, and Counter-terrorism asked the NSTAC to provide comments on the draft version of the 
National Plan for Information Systems Protection (National Plan). The IES reviewed the draft 
plan and provided general comments for the Administration’s consideration. The comments were 
based on the NSTAC’s long history of partnership with the Government and reflected input 
informally provided to the Director of the Critical Infrastructure Assurance Office earlier in 1999. 
Specifically, members recommended that several principles for partnership identified by the 
NSTAC be considered for inclusion in the National Plan. Some of these principles were 
incorporated into Version 1.0 of the National Plan, which the White House released on 
January 7, 2000. Reflecting the NSTAC’s ongoing contributions to the development of CIP 
policy, the Department of Defense Infrastructure Assurance Plan—incorporated as part of the 
National Plan—specifically mentions the NSTAC as an industry/Government partnership model 
for exchanging information. The NSTAC is also further cited as an example of “industry 
commitment to . . . the public good,” and of how industry can partner with Government to improve 
infonnation security. 

The NSTAC formed the Infonnation Sharing for Critical Infrastructure Protection Task Force 
(ISCIPTF) in September 1999 to focus on infonnation-sharing issues associated with CIP. 
Specifically, the task force, among other things, continued interaction with Government leaders 
responsible for PDD-63 implementation, and examined mechanisms and processes for protected, 
operational infonnation sharing that would help achieve the goals of PDD-63. Following a 
request by the National Coordinator for Infrastructure Protection, Security, and 
Counter- terrorism at the May 16, 2000, NSTAC XXIII meeting for additional NSTAC 
comments on Version 1.0 of the National Plan, the ISCIPTF drafted The NSTAC’s Response to 
Version 1.0 of the National Plan, including this annex. 



INFORMATION AND COMMUNICATIONS (I&C) SECTOR INTERDEPENDENCIES 


Profound changes in the Nation’s infrastructures involving interdependency, deregulation, and 
reliance on technology are creating new challenges to the assurance of infrastructure services. A 
few particular infrastructures are so vital that their incapacity or destruction would significantly 
compromise the defense and economic security of the United States. No technology has been 
more responsible for this dramatic change and had a more profound effect on the other 
infrastructures than the technologies associated with the I&C infrastructure. The national critical 
infrastructure systems incorporate a mix of public and private ownership entities that bring to the 
table varying perspectives concerning security, protection, and economic competitiveness. 
Private owners, faced with loss of revenue and loss of confidence by their customers, regulators, 
investors, and insurers, seek to restore revenue and customer confidence, satisfy regulators, 
document losses, and avoid liability. Governments focus on protecting national security, 
preventing future attacks, and identifying and punishing attackers. As a result of the dichotomy 
of interests, any solution to or recommendation for the protection of critical infrastructures 
requires the participation of private industry in concert with Government. 

In January 1995, the Director of the National Security Agency briefed the National Security 
Telecommunications Advisory Committee (NSTAC) on threats to U.S. information systems and 
the need to improve the security of critical national infrastructures. Reflecting on that 
information, the NSTAC Principals discussed emerging threats to information systems and 
subsequently forwarded a correspondence on the matter to President Clinton in March 1995. It 
stated that “[the] integrity of the Nation’s infonnation systems, both government and public, are 
increasingly at risk to intrusion and attack . . . other national infrastructures . . . [such as] finance, 
air traffic control, power, etc., also depend on reliable and secure information systems, and could 
be at risk.” President Clinton replied to the NSTAC in July 1995, stating that he would 
“welcome NSTAC’s continuing efforts to work with the Administration to counter threats to our 
Nation’s infonnation and telecommunications systems.” The President further asked the 
NSTAC, with “input from the full range of national information infrastructure users,” to assess 
the national security and emergency preparedness requirements for the Nation’s rapidly evolving 
information infrastructure. Through dialogue with Government, the NSTAC identified three 
priority critical infrastructures for assessment. 

The NSTAC built on the methodology developed by the Government and the NSTAC Network 
Security Infonnation Exchanges to assess the security risks to public networks. Using that 
methodology, the NSTAC began to study the electric power, financial services, and 
transportation infrastructures. Specifically, the NSTAC examined each infrastructure’s 
dependency on infonnation technology and the associated information assurance risks to its 
information systems. The NSTAC completed the risk assessments of the electric power, 
financial services, and transportation infrastructures in March 1997, December 1997, and June 
1999, respectively. In each assessment, follow-up recommendations were sent to the President, 
many of which remain valid, and some of which appear applicable to other critical 
infrastructures. 



Information Assurance Task Force (IATF), Electric Power Information Assurance Risk 
Assessment, March 1997 

In March 1997, the NSTAC issued a report to the President that assessed the security of the 
electric power control networks and electric power grid. The NSTAC detennined that the 
electric power industry was undergoing significant change, fueled by marketplace forces and 
Federal legislative and regulatory activities. 

The NSTAC found that this change was stimulated by new players entering the power generation 
and delivery market and by existing utilities being required to offer open access to their 
transmission systems. The previously tightly integrated functions of power generation, 
transmission, and marketing were being separated within utilities; and some were even spinning 
off into new companies. Utilities were also rapidly expanding their use of infonnation systems 
and interconnecting previously isolated networks because of competition, aging proprietary 
systems, and reductions in staff and operating margins. 

The NSTAC recognized that, although physical destruction was still the greatest threat facing the 
electric power infrastructure, electronic intrusion of the utilities’ infonnation systems and 
networks represented an emerging threat. The NSTAC concluded that the probability of a 
nationwide disruption of electric power through electronic intrusion, short of a major coordinated 
attack, was extremely low, but the potential for short-tenn disruptions at the regional level was 
increasing. The NSTAC found that the industry considered the primary threat to infonnation 
systems to be from insiders. Downsizing, increased competition, and the shift to standard 
protocols would add to the potential sources of attacks, whether from inside or outside a utility. 

The NSTAC also examined recent legislation that had increased the jurisdiction of Federal, 

State, and local law enforcement authorities over attacks on electric power control systems. It 
found that the lack of effective reporting mechanisms, inconsistent use of logins, passwords, and 
warning banners, and a low probability of being detected, caught, and prosecuted hindered 
effective deterrence of potential attackers. 

The NSTAC determined that the substations presented the most significant information security 
vulnerability in the power grid. The NSTAC also found that many of the automated devices 
used to monitor and control equipment within transmission and distribution centers and corporate 
data networks, widespread use of dial-up modems, and use of public networks were other 
sources of vulnerabilities in the electric power grid. 

The NSTAC recognized that utilities used a variety of mechanisms to protect the electric power 
grid from disruption, including contingency analysis, redundant control centers, dial-back 
modems, and firewalls. However, few utilities had an information security function for their 
operational systems, and the lack of convincing evidence of a threat tended to lead senior 
managers to minimize infonnation security investments. 

Although the NSTAC’s study found no evidence of a disruption of electric power caused by an 
electronic intrusion, it concluded that three trends would increase the exposure of the electric 
power control network to attack: 



• The shift from proprietary mainframe control systems to open systems and standard 
protocols 

• Increasing use of automation, outside contractors, and external connections to reduce 
staff and operating costs 

• The requirement to provide open access to transmission system information dictated 
under Federal Energy Regulatory Commission orders 888 and 889. 

The NSTAC included in its recommendation to the President that he consider assigning to the 
appropriate department or agency the mission to develop and conduct an ongoing program with 
the electric power industry to identify the threat and increase the awareness of vulnerabilities and 
available or emerging solutions. 

IATF, Financial Services Risk Assessment Report, December 1997 

The NSTAC delivered a financial services Infonnation Assurance (IA) risk assessment report to 
the President in December 1997. The study reflected that the financial services infrastructure 
was sufficiently protected and prepared, at the national level, to address a broad range of current 
threats, from natural disasters to electronic intrusions. However, the NSTAC found that there 
were security implications and potential vulnerabilities associated with the financial service 
sector’s dependence on a telecommunications infrastructure being subjected to deregulation, the 
integration of dissimilar information systems and networks resulting from mergers and 
acquisitions, and the introduction of Web-based banking services. 

The study focused on three objectives: 

• Assess the security and robustness of the financial services infrastructure at the national 
level relative to the identified threats to its networks and infonnation systems 

• Detennine the risks to the industry that derive from its dependence on the 
telecommunications infrastructure 

• Examine the implications of trends regarding the industry’s use of information systems 
and networks. 

The NSTAC found that the financial services industry approached the protection of its networks 
and infonnation systems as an integral element of an overall program of risk-management 
accountable to the most senior levels of an institution. This approach is long established in the 
industry and affects every investment decision. The approach also incorporates security 
measures as fundamental risk controls. 

The NSTAC concluded that trends in banking, securities, and new technologies indicated that 
infonnation systems and networks would continue to be the primary vehicles for innovation and 
competition, enabling money, value, and related commerce to move with increasing velocity. It 
was further determined that, although the industry had suffered for its reluctance to discuss 
security issues in open forums through perceptions fostered by the media that the situation was 
far worse than it was, the financial institutions were very aware of the threats facing them. The 
financial institutions were also committed to any necessary investments in protection measures 
and had extensive experience addressing natural and man-made disasters and infrastructure 



outages. These measures taken by the industry put successful cyber attacks beyond the scope of 
all but a concerted nation-state effort. Physical attack remained the larger concern. 

Information Infrastructure Group (IIG), Interim Transportation Information Risk Assessment 
Report, December 1997; IIG Transportation Information Assurance Risk Assessment Report, 
June 1999 

The NSTAC initiated its transportation IA risk assessment in December 1996. The findings 
were included in an interim report to the President in December 1997. The report concluded that 
the transportation industry lacked a unifonn understanding of information system risks and 
vulnerabilities, and the industry lacked consistent methods for assessing vulnerabilities or 
gauging information system security. The report also concluded that the transportation industry 
was generally skeptical that meaningful industry and Government information sharing about 
system threats and vulnerabilities could be achieved. 

The NSTAC came to the following six conclusions about risks to the transportation 
infrastructure: 

• The transportation industry is increasingly reliant on infonnation technology (IT) and 
public networks. 

• Although a nationwide disruption of the transportation infrastructure is unlikely, even a 
local or regional disruption could have a significant impact. 

• Business pressures and widespread utilization of IT make large-scale, multimodal 
disruptions more likely in the future. 

• A need exists for a broad-based infrastructure assurance awareness program to assist all 
modes of transportation. 

• The transportation industry could leverage ongoing research and development initiatives 
to improve the security of the transportation information infrastructure. 

• A need exists for closer coordination between the transportation industry and other 
critical infrastructures. 

The NSTAC recommended that the President continue support for the efforts of the Department 
of Transportation (DOT) to promote outreach and awareness within the transportation 
infrastructure as expressed in Presidential Decision Directive 63. These recommendations 
included the timely dissemination of Government infonnation on physical and cyber threats, 
support for research and development programs to develop methods to counter emerging cyber 
threats, joint industry and Government efforts to examine emerging industrywide vulnerabilities, 
and future DOT conferences to stimulate infonnation exchange on threats, vulnerabilities, and 
best practices. 




NETWORK TECHNOLOGY AND VULNERABILITIES 


Since early 1990, the U.S. Government and the President’s National Security 
Telecommunications Advisory Committee (NSTAC) have been working together to address 
network security issues. Central to this process are separate, but closely coordinated 
Government and NSTAC Network Security Information Exchanges (NSIE). The activities of 
the NSIE focus on issues of unauthorized penetration or manipulation of the public network (PN) 
software and databases affecting national security and emergency preparedness (NS/EP) 
telecommunications services. The NSIE conducted risk assessments of the PN in 1995 and 1999. 

More recently, the NSTAC undertook focused investigations of the vulnerabilities associated 
with the use of the Internet and electronic commerce technologies as they are increasingly being 
used to support NS/EP telecommunications functions. In addition, the NSTAC examined 
evolving network technologies and architectures, the implications for existing NS/EP priority 
services, and the potential for satisfying NS/EP functional requirements in the Next Generation 
Network (NGN) environment. 

Government and NSTAC NSIE: An Assessment of the Risk to the Security of Public 
Networks, December 1995; Government and NSTAC NSIEs: An Assessment of the Risk to the 
Security of the Public Network, April 1999 

The most recent NSIE assessment of the risk to the PN determined that its earlier findings 
regarding the overall vulnerability of the PN remain valid. Old vulnerabilities are still being 
exploited, even though fixes are readily available for most of those discovered. Vulnerabilities 
in many of the PN’s diverse technologies (e.g., Signaling System 7 [SS7] and Synchronous 
Optical Network) remain. 

The following factors, summarized from the recent NSIE risk assessments, significantly heighten 
risk to the PN: 


• The Telecommunications Act of 1996: The Telecommunications Act of 1996 opened 
the telecommunications industry to increased competition and interconnection. As more 
providers gain access to network facilities, security measures become more complicated 
and difficult to implement. 


• The Business Environment: The telecommunications industry is a highly dynamic, 
fast-paced, global industry. Telecommunications organizations are increasingly adopting 
aggressive business practices to streamline operations and reduce costs. These business 
practices have increased the complexity of the PN, further increasing the difficulty of 
implementing network security measures. In addition, the changing business environment 
and rapid integration of newer technologies have increased the vulnerabilities of the PN. 
The operations, administration, maintenance, and provisioning systems and network 
operations centers are highly integrated and are increasingly dependent on commercial 
off-the-shelf technology. Potential intruders have ready access to information about these 
technologies and their vulnerabilities. This information is widely kn own and rapidly 



disseminated throughout the intruder community. 


• The threat to the PN continues to grow as the PN becomes a more valuable target 
and the intruder community develops more sophisticated capabilities to launch 
attacks against it: Lately, the intelligence community has increased its efforts to focus 
on defining the electronic intrusion threat to the PN. Intruder tools continue to improve 
and have become widely available, as has infonnation on vulnerabilities. The denial of 
service attacks in February 2000 provided additional evidence of malicious capabilities. 


• Technology: Telecommunications providers are transitioning from proprietary protocols 
to open-system protocols to manage their networks. In addition, traditional circuit- 
switched services are migrating to packet-switched networks. As this migration 
continues and new services such as Internet Protocol (IP) telephony proliferate, the PN 
may become more susceptible to well-known Internet vulnerabilities. 


• Public Switched Network (PSN)/Internet Connectivity: The Internet is rapidly 
converging with the PSN, increasing the opportunity for intruders to attack the PSN 
through the Internet. 


• Tools and Techniques: Security tools and techniques have evolved significantly in the 
last few years, and the telecommunications industry is taking advantage of this evolution 
to improve the security of its networks. Similarly, network intrusion tools and techniques 
have also improved substantially; and the intruder community is using these tools and 
techniques to attack the PN. 


The NSIE risk assessments found that as the PN has continued to expand, it has become an 
increasingly important part of the National Information Infrastructure. Government and 
corporate networks are more interconnected than ever before as these organizations increasingly 
rely on the PN to transmit critical business and operations information. Therefore, the perceived 
and substantive rewards for gaining illicit access to the PN are increasing, which makes 
protecting the PN more important than ever before: 

• Critical Infrastructure Protection: Concern grows within Government and the private 
sector over critical infrastructure protection. As Government and the owners of critical 
infrastructures work to ensure the reliability and availability of their own systems, these 
efforts could improve the security of the PN. 

• Legislation: Federal and State legislatures are addressing computer crime and imposing 
more severe penalties on electronic criminals, reflecting an increased awareness of the 
growing importance of the PN and the value of the infonnation transported over its 



networks. 


• Government and industry organizations have worked diligently to improve 
protection measures: Technology and awareness are clearly improving, and service 
providers and vendors are becoming more knowledgeable and skillful in implementing 
protection measures. At the same time, several factors limit the effectiveness of 
protection measures. Service providers’ knowledge of the entire network and, more 
important, ability to control the full extent of network connections are diminishing. 
Although technology protection measures, such as intrusion detection tools, have 
improved dramatically, their effectiveness is still inconsistent. Further, the individuals 
with the technical skills required to effectively evaluate and implement these tools are in 
short supply. 


• Continuing trends in law enforcement have increased the ability of Government 
and corporate organizations to deter the intrusion threat: The U.S. law enforcement 
community has developed a firm position on electronic intrusion. Intruders face more 
diligent prosecution efforts and can expect longer sentences if convicted. In addition, 
victims are gradually becoming more willing to report intrusions and cooperate with law 
enforcement. 


The most recent NSIE risk assessment concluded that absent a valid baseline to establish 
quantitative measures of the risk to the PN from electronic intrusion, it is difficult to definitively 
state how risk has changed over the past few years. Rapid advances in technology and 
environmental factors have changed the vulnerabilities and threats facing the PN, making it 
difficult to protect against intrusions. At the same time, the importance of the PN and the value 
of infonnation flowing over its networks are increasing, making the PN a more valuable target. 
Overall, according to the NSIE report, there is little evidence to suggest that the risk has 
diminished and many factors to suggest that it is growing. 

Network Group, Internet Report: An Examination of the NS/EP Implications of Internet 
Technologies, June 1999 

As the Government expands its Internet use to more critical applications, such as supporting 
NS/EP functions, concerns arise about how a severe disruption of Internet service might affect 
NS/EP operations. The NSTAC released the “Internet Report” in June 1999 to examine how a 
severe disruption of the Internet could affect NS/EP operations over the next 3 years, to identify 
vulnerabilities of network control elements associated with the Internet and their ability to cause 
a severe disruption of Internet service, and to examine how Internet reliability, availability, and 
service priority issues apply to NS/EP operations. 

The report concluded that agencies with NS/EP responsibilities are using the public Internet 
mostly for outreach, infonnation sharing, and e-mail, while direct dependence on the public 
Internet for mission-critical operations is currently modest. The NS/EP community is more 
likely to depend on dedicated Transmission Control Protocol/ Internet Protocol (TCP/IP) 



networks (intranets) for mission-critical NS/EP operations at present. However, NS/EP 
dependence on the Internet is likely to grow over the next several years because the public 
Internet offers a cost-effective, efficient means of communications; the Government is rapidly 
adopting electronic commerce (e-commerce), and Federal policies are promoting use of the 
Internet. Currently, critical infrastructures, such as medical services, banking and finance, gas 
and electric industries, and telecommunications, are increasingly using the public Internet for 
various processes, including exchange of business, administrative, and research information. 

The NSTAC also concluded that the infonnal and distributed management of Internet functions, 
the Domain Name System, Internet software including Berkeley Internet Name Domain, and 
procedural errors and unintentional actions invite potential vulnerabilities that could contribute to 
a disruption of Internet service. Because of the interconnected nature of the public Internet, a 
disruption or degradation of Internet operations could also affect the operations of dedicated 
TCP/IP networks/intranets. However, with the Internet’s highly diverse architecture and 
complex interconnection arrangements, consisting of thousands of Internet service providers 
(ISP), it is unlikely that the failure of any single node or transmission facility would cause a 
major Internet service disruption (see page A-19 for follow-on efforts). 

Presently, the reliability and security of the public Internet is generally considered inadequate for 
NS/EP mission-critical functions. There are no Internet technologies or applications that 
facilitate the same type of end-to-end NS/EP-related services available in the PSN. Although 
certain ISPs currently offer in-network quality of service (QoS) standards, no end-to-end QoS 
offerings are available via the public Internet. No economical incentives exist for ISPs to 
develop and offer NS/EP service enhancements over their networks. Many factors (e.g., lack of 
NS/EP demand and market characteristics) preclude the availability of NS/EP services over the 
Internet for the foreseeable future. 

The NSTAC recommended that the President direct the establishment of a permanent program to 
address NS/EP issues related to the Internet. The program should have the following objectives: 

• Work with the NS/EP community to increase understanding of evolving Internet 
dependencies. 

• Work with key Internet organizations and standards bodies to increase awareness of 
NS/EP requirements. 

• Interact with the appropriate Internet organizations and initiatives to investigate, develop, 
and employ NS/EP-specific Internet priority services, such as priority access, end-to-end 
routing, and transport. 

• Examine the potential impact of IP network-PSN Convergence on PSN-specific NS/EP 
priority services (e.g., Government Emergency Telecommunications Service and 
Telecommunications Service Priority). 

The NSTAC also recommended that the President direct the appropriate Government 
departments and agencies to leverage existing industry and Government partnership mechanisms 
to increase awareness of NS/EP requirements within key Internet organizations and standards 
bodies. 



Information Infrastructure Group (IIG), NS/EP Implications of Electronic Commerce Report, 
June 1999 

The public sector is in the midst of adopting systemwide changes that will incorporate 
e-commerce into Government operations. In June 1999, NSTAC issued a report to discuss 
implications of incorporating e-commerce into business operations within the NS/EP 
community. To investigate this topic, the NSTAC surveyed e-commerce literature and received 
briefings from diverse Government, industry, and academic sources. The committee also 
interviewed public and private sector officials responsible for implementing e-commerce policies 
and procedures. 

The NSTAC found that e-commerce use among NS/EP organizations has been limited to support 
nonmission critical activities; but as these organizations increase their reliance on e-commerce 
operations for NS/EP functions, the security of these e-commerce transactions will become more 
critical. As the NS/EP community transitions, the NSTAC concluded that it should be alerted to 
several issues that could affect how e-commerce is implemented. 

• NS/EP dependence on e-commerce, although modest at present, is likely to grow steadily 
over the next decade. 

• The NS/EP community must be aware of the vulnerabilities that arise from utilizing 
e-commerce hardware and software and make informed decisions regarding its 
implementation to achieve an acceptable level of risk. 

• The NS/EP departments and agencies must thoroughly assess current and future 
dependence on e-commerce application and architectures, the associated security 
implications, and the effect e-commerce will have on overall business operations. 

• In the new electronic environment created by e-commerce, the NS/EP community will 
depend on commercial products and an infonnation infrastructure that it neither owns nor 
operates. Therefore, the Federal Government and its partners in the private sector will 
share the NS/EP risks involved with e-commerce. 

• A unified and specific focus on NS/EP needs is lacking among organizations responsible 
for managing and administering oversight for e-commerce within the Federal 
Government. This lack of focus could lead to a lack of formal guidance, policy 
procedures, and accountability addressing NS/EP issues related to the adoption of 
e-commerce. 

The NSTAC concluded that what is needed is a focal point within the Federal Government to 
work with the various public and private organizations to increase their awareness of NS/EP 
issues related to e-commerce. The NSTAC recommended that the President designate this focal 
point for examining the NS/EP issues related to widespread adoption of e-commerce within the 
Government. The committee also recommended that the President direct the Federal 
departments and agencies, in cooperation with an established Federal focal point, to assess the 
effect of e-commerce technologies on their NS/EP operations. 

The NSTAC also saw a need to increase the NS/EP community’s awareness of the potential 
vulnerabilities related to e-commerce. Departments and agencies should work with the focal 
point to assess their current and future e-commerce dependence, and the vulnerabilities caused 
by e-commerce and its implementation. 



Information Technology Progress Impact Task Force (ITPITF) Report on Convergence, 

May 2000 

The NS/EP community depends heavily on priority treatment of voice calls within the PSN to 
support NS/EP operations, which is provided under the Telecommunications Service Priority 
(TSP) 4[42] and the Government Emergency Telecommunications Service (GETS) 5[43] program. 
Telecommunications service providers plan to transition traffic onto the NGN. The NSTAC 
examined the implications of the evolving public network architecture for priority treatment of 
NS/EP voice and traffic data and, specifically, the potential impact of IP network-PSN 
convergence on PSN-specific NS/EP priority services. The NSTAC’s report outlined the 
implications of convergence for existing NS/EP priority services and examined evolving network 
technologies and capabilities that could assist in satisfying existing NS/EP functional 
requirements in an NGN environment. 

The NSTAC reached the following conclusions: 

• The NS/EP community depends heavily on priority treatment of voice calls within the 
PSN to support NS/EP operations and will remain dependent for the immediate future. 

• The public network will change from separate switched-voice and packet-data networks 
to an interconnected network and then to a unified NGN over the next several years. 

• The potential implications of convergence and the NGN for GETS services include new 
blocking sources, lack of ubiquity and interoperability, lack of access to GETS features, 
disparate congestion handling, and a lack of commensurate network reliability and 
security. 

• NS/EP requirements are unlikely to be incorporated by industry unless the features 
needed to meet these requirements are standardized by industry, perhaps with prompting 
from the Government. 

• NS/EP traffic requires newly designed and standardized features to overcome new 
problems associated with packet networks. 

• To provide GETS-type services during convergence and in the NGN, QoS schemes must 
be expanded to provide services commensurate with NS/EP needs. 

• The current level of security safeguards incorporated into GETS is inadequate to maintain 
NS/EP functional requirements during convergence and in the NGN. 

• TSP, as originally conceived, remains relevant during convergence because restoration 
assignments can still be applied to identifiable segments of the PSN. 

• A potential implication for the TSP Program during convergence and in the NGN, as 
discussed by the TSP Oversight Committee (OC), is the inapplicability of the program to 
ISPs offering voice services. 

• The OC stated that TSP, as currently defined, did not and should not have a role in the 
NGN, and if the NS/EP community required similar types of priority services for packet 
networks, a new program would have to be established to support such services. 


The TSP Program is the regulatory, administrative, and operational framework for the priority provisioning and 
restoration of any qualified NS/EP telecommunications service. 

Developed in response to a White House tasking, GETS provides NS/EP users priority access to and specialized 
processing for NS/EP calls in local and long-distance networks. 



• TSP-type services in the NGN will provide for the priority provisioning and restoration 
of network services rather than circuit-based services. 

• Although specific NGN standards have not yet been developed to support NS/EP 
requirements, the NGN technology is capable of supporting these requirements. 

• Standards bodies are examining QoS and other new NGN capabilities that may be useful 
in satisfying certain NS/EP functional requirements in the NGN, and the appropriate 
departments and agencies should continue active participation in these groups. 

• QoS and other new NGN capabilities will require some enhancement to best satisfy 
specific NS/EP requirements. Therefore, the NS/EP community should determine, as 
soon as practicable, precise functional NS/EP requirements for the NGN. The 
appropriate departments and agencies should continue to participate in standards bodies 
activities related to NGN technologies to ensure that NS/EP requirements are considered 
during development and implementation phases. 

• As the NGN evolves, telecommunications carriers’ SS7 networks will become less 
discrete and more reliant on IP technology and interfaces. Therefore, it is necessary to 
consider the security, reliability, and availability of the NGN control space as it relates to 
the provision and maintenance of NS/EP service capabilities. 

The NSTAC recommended that the President direct the appropriate departments and agencies, in 
coordination with industry, to promptly determine precise functional NS/EP requirements for 
Convergence and the NGN, and ensure that relevant NS/EP functional requirements are 
conveyed to standards bodies and service providers during standards development and 
implementation. 



RISK MANAGEMENT 


Presidential Decision Directive 63 emphasizes the importance of relying on nonregulatory 
solutions to address infrastructure vulnerabilities. In satisfying this objective, the Critical 
Infrastructure Assurance Office has underscored the value of promoting industry standards and 
best practices to improve infrastructure assurance. That approach is entirely consistent with an 
NSTAC study initiated in 1995 and the resulting recommendation related to the creation of a 
private sector Infonnation Systems Security Board (ISSB). The NSTAC developed the ISSB 
concept as a potential means for providing consistent, standardized guidelines for the protection 
of commercial infonnation, systems, and networks. 

National Information Infrastructure (Nil) Task Force Report, February 28,1996; National 
Information Infrastructure (Nil) Task Force Report, March 1997 

During 1995, the NSTAC explored the concept of establishing an industry-operated security 
center of excellence as a potential focal point for enhancing the security component of the NIL 
The NSTAC identified several security functions considered important to improving Nil security 
and appropriate for the private sector to perfonn. After scoping potential organizational models 
for an ISSB, the NSTAC concluded that several business issues should be considered to 
detennine such an organization’s viability. 

In its in-depth follow-up study of the ISSB, which was completed in 1997, the NSTAC refined 
the concept and developed a model for an ISSB that could work with recognized testing 
laboratories and commercial security consulting services to strengthen the overall security of the 
information infrastructure. The NSTAC designed the model to promote infonnation systems 
security principles and standards to improve the reliability and trustworthiness of commercial 
information products and services. To gain feedback from the broad community, an Information 
Security Systems Board Concept Paper was written to outline the functions and processes of the 
ISSB and serve as the centerpiece for the outreach effort. Attached to the concept paper was a 
questionnaire designed to stimulate discussion and elicit comments regarding the proposed ISSB 
concept, the need for an ISSB, an appropriate role for the Federal Government, and membership 
issues. 

The NSTAC’s outreach effort revealed broad and general support for the ISSB concept among 
diverse industry groups. It also surfaced various questions and issues related to ISSB 
implementation, such as the appropriate role of the Federal Government, the relationship of the 
ISSB to ongoing infonnation security activities, and the international implications of the ISSB. 
The NSTAC concluded that the private sector was capable of establishing and operating the 
ISSB. Further, both the private sector and Government expressed support for private sector 
leadership of the ISSB without Government oversight or control. 

In response to additional NSTAC outreach, the private sector initiated an exploratory effort about 
establishing an ISSB, and the NSTAC continued to track its acceptance and progression within 
the community. 



RESPONSE AND RECOVERY 


On the basis of a National Security Telecommunications Advisory Committee (NSTAC) 
recommendation, the National Communications System (NCS) established the National 
Coordinating Center for Telecommunications (NCC) in 1984 as a joint industry and Government 
mechanism to assist in the initiation, coordination, restoration, and reconstitution of national 
security and emergency preparedness (NS/EP) telecommunications services and facilities under 
all circumstances. 

Since 1984, threats to the NS/EP telecommunications infrastructure have changed significantly. 
In response, the NSTAC undertook a series of studies to consider the implications of the new 
environment for the functions performed by the NCC. At the same time, the NSTAC revisited 
an earlier NSTAC concept—the National Coordinating Mechanism (NCM)—that could serve as 
a framework for responding to incidents across national infrastructures (e.g., electric power, 
financial services, and transportation). Separately, the NSTAC examined the possibility of a 
widespread outage in the public telecommunications network resulting from rapid changes in 
industry structure, regulation, and technology, as well as threat. 

More recently, in October 2000, the Assistant to the President for Science and Technology asked 
the NSTAC to take a fresh look at the possibility of a widespread outage in the converged/Next 
Generation Network environment. Citing previous NSTAC work (the May 2000 NSTAC 
Information Technology Progress Impact Task Force Report on Convergence), the request noted 
that convergence of voice and largely unregulated data networks will not only change the 
physical nature of the communications network but may also introduce many new technical, 
operational, and security concerns. 

Further, the Assistant to the President for Science and Technology stated that these challenges 
may require Government to develop new policies, plans, programs, and perhaps protections 
under law or other mandates to help ensure the availability of NS/EP communications. Among 
the questions to be answered are (1) How should existing NSTAC, NCS/NCC, and other private 
and Government organizations evolve with the networks to ensure a quick, organized, and 
technically competent response in the case of a widespread outage? (2) What reasonable steps 
could the Government take to help the NSTAC and the industry in general better prepare to react 
to a widespread outage in these networks? In November 2000, the NSTAC undertook a study to 
detennine whether a widespread outage of the converged and next-generation networks is a 
realistic possibility and the associated risk factors that the Government and industry need to 
consider. The preliminary analysis of NS/EP telecommunications in a converged network 
environment focused on its relative immaturity when compared with the legacy PSN. According 
to this analysis, NS/EP communications should utilize the converged network, but until complete 
confidence is established, the community should not rely exclusively on services based upon 
converged networks. The Convergence Task Force will explore the issue further. The NSTAC 
will provide an interim report to the Administration at the NSTAC XXIV meeting in June 2001. 



Operations Support Group (OSG) Reports of December 1997, September 1998, and 
June 1999. 

In 1996, the NSTAC began to examine whether the mission, organization, and capabilities of the 
NCC were still valid, considering the ongoing changes in technology, industry composition, 
threats, and requirements. Throughout 1997 the OSG worked closely with the NCS member 
organizations and NCC industry representatives to develop a common framework for assessing 
the NCC’s ongoing role. The OSG validated the original 10 NCC chartered functions and 
updated the NCC Operating Guide (both written in 1984) for the current operational 
environment. Also, in response to a request for assistance from the Manager, NCS, to develop 
an indications, assessment, and warning (IAW) response capability in the NCC, the group 
detennined that an electronic intrusion incident information processing function could be 
integrated into the NCC’s activities. In August 1997, the group held an industry and 
Government tabletop exercise to test the draft concept of operations for the NCC intrusion 
incident infonnation processing. In December 1997, the NSTAC approved the OSG report, 
which documents these activities, and endorsed the NCC’s implementation of an initial intrusion 
incident infonnation processing pilot program to develop the IAW function. 

During 1998, the OSG worked closely with the Office of the Manager, NCS, as the NCC 
implemented the IAW pilot, which was completed in October 1998. In addition, the OSG 
developed a document, NCC Intrusion Incident Reporting Criteria and Format Guidelines, to 
establish standardized reporting criteria and to outline steps in NCC electronic intrusion report 
collection, processing, and distribution. On the basis of the experience of the pilot and the work 
of the NSTAC’s OSG, the NCC decided to fully incorporate the IAW function into its 
operations. 

In its September 1998 report, the OSG concluded that the NCC provided a model for all 
infrastructures by which infonnation could be gathered, analyzed, sanitized, and provided to the 
Government. On the basis of that finding, the NSTAC recommended that lead departments and 
agencies, as designated in Presidential Decision Directive 63 (PDD-63), consider adopting the 
NCC model, as appropriate, for the various infrastructures to provide warning and information in 
response to cyber incidents. Furthermore, the NSTAC recommended that such activities take 
place in the context of the NCM concept developed by the OSG. The OSG refashioned the 
original NCM concept developed by the NSTAC to coordinate planning, infonnation sharing, 
and resources in response to NS/EP requirements. Unlike the original NCM plan that applied to 
the telecommunications infrastructure (and which led directly to the establishment of the NCC in 
1984), the revised NCM concept involved linking all of the Nation’s critical infrastructures. 

The OSG continued to assist the NCS and the NCC as the NCC implemented its pilot electronic 
intrusion incident processing function. The group also assessed whether the NCC required 
additional industry and Government participation within the NCC to widen the scope of 
expertise and operational personnel available to fulfill the IAW mission. Specifically, the group 
developed a list of companies and Government departments and agencies for the Manager, NCS, 
to consider as candidates for NCC participation. 

After further efforts during 1999, the NSTAC agreed with the OSG detennination that the NCC 
was performing the primary functions of an Information Sharing and Analysis Center (ISAC) for 



the telecommunications sector and concluded that industry and Government should establish it as 
such. PDD-63 proposed the concept of an ISAC as a private sector entity responsible for 
gathering, analyzing, sanitizing, and disseminating to industry private sector infonnation related 
to vulnerabilities, threats, intrusions, and anomalies affecting the critical infrastructures. In 
January 2000, the National Security Council agreed with the NSTAC’s 1999 conclusion that the 
NCC was serving as an ISAC. Following this, the NCC formally announced its operation as an 
ISAC for the telecommunications sector. 

Throughout the period from 1997 to 1999, the OSG also investigated the NCC’s operational 
readiness and coordination capabilities for potential public network disruptions caused by the 
Year 2000 (Y2K) problem. Among other things, it examined the need for Y2K outreach efforts, 
the need to emphasize contingency planning and restoration scenarios, the potential for public 
overreaction to the Y2K problem, and the lack of a global approach to handle Y2K issues that 
were international in scope. The findings and recommendations related to these efforts are 
included in the OSG’s final reports. Lessons learned from the NCC Y2K experience that could 
advance operational information sharing were examined by the NSTAC’s Information 
Sharing/Critical Infrastructure Protection Task Force and are discussed in the task force’s May 
2000 report. 

Network Group, Widespread Outage Subgroup (WOS) Report, December 1997 and 
Network Group Report, September 1998 

In April 1997, Dr. John Gibbons, Assistant to the President for Science and Technology, 
requested that Mr. Charles Lee, then Chairman of the President’s NSTAC, provide the NSTAC’s 
forward-looking views on the possibility of a widespread service outage in the public telephone 
network. 

The NSTAC defined widespread outage as a sustained interruption of telecommunications 
service that would have strategic significance to Government, industry, and the general public. 
Such an outage would likely affect the telecommunications service in at least one region of the 
country, including at least one major metropolitan area. It would involve multiple carriers, 
affecting both long-distance and local service, and significantly degrade the ability of other 
essential infrastructures to function. Such an outage would impact the availability and integrity 
of telecommunications service for at least a significant portion of a business day. 

The NSTAC found that U.S. telecommunications service providers have historically offered 
robustness, availability, and quality unparalleled by other public services. Although the public 
network (PN) track record is superlative, members determined that natural and technological 
threats could adversely affect telecommunications service. These threats could also disrupt other 
critical infrastructures, such as electric power, on which the PN is highly dependent for sustained 
operation. The NSTAC found that, while the PN’s supporting technologies provide an 
expanding array of services and features and facilitate robustness, these same supporting 
technologies can introduce exploitable vulnerabilities with adverse effects on service availability 
and reliability. Considering these threats and vulnerabilities, the NSTAC agreed that the 
potential concern for a widespread network outage is reasonable. Given the limited precedent 
for telecommunications outages of this magnitude, NSTAC members’ prior experiences with 
smaller-scale outages led them to conclude that there is a low probability of a widespread, 



sustained outage of public telephone service. However, the potential societal impacts of such an 
outage are high enough to warrant consideration. 

The NSTAC offered recommendations for the President to decrease the overall probability of a 
widespread outage, including— 

• Improve intercarrier coordination for widespread outage recovery 

• Remove legal and regulatory obstacles to widespread outage recovery 

• Foster education and awareness. 

Subsequently, in a 1998 follow-up study of the issue, the NSTAC reached the following 
conclusions: 

• The greatest opportunity for ensuring the continued reliability of the PN will ensue as 
both established entities and newer entrants adhere to and help develop industry standards 
and best practices. 

• The focal point for industry and Government coordination for operational matters has 
been and should remain at the NCC. The NCC has initiated an effort to expand the 
National Telecommunications Coordinating Network to improve communications 
capabilities with critical entities during network outage conditions. 



INFORMATION SHARING 


The Information and Communications (I&C) sector has numerous forums for sharing policy, 
operational, and technical infonnation. The President’s National Security Telecommunications 
Advisory Committee (NSTAC) and associated industry and Government entities have served as 
models for infonnation sharing for many years. Other new forums are being developed 
specifically in response to Presidential Decision Directive 63 (PDD-63), Critical Infrastructure 
Protection. By developing national security and emergency preparedness (NS/EP) 
telecommunications recommendations for the President, the NSTAC has provided, since 1982, a 
forum for developing and sharing policy information. The National Coordinating Center for 
Telecommunications (NCC) provides a forum for sharing operational telecommunications 
information among the industry and Government agencies participating in the NCC. The 
industry and Government Network Security Information Exchanges (NSIE) were established in 
1991 for exchanging lessons learned and technical information related to network security. 
Recently, the NSTAC has been investigating information-sharing issues as they relate to critical 
infrastructure protection and network security. As one of the results of these ongoing studies, the 
NSTAC recommended and the NCC has been designated as an Information Sharing and 
Analysis Center (ISAC) within the framework of PDD-63 (see Attachment A, NCC ISAC, at the 
end of this section). In addition, Congress, the Department of Justice, and others are actively 
considering legislation designed to encourage industry NS/EP disclosures by exempting that 
infonnation from release under the Freedom of Information Act (FOIA). The NSTAC has 
written to the President asking him to support such legislation, particularly legislation like the 
FOIA exemption in the Year 2000 (Y2K) Information and Readiness Disclosure Act. In addition, 
an initial outline has been developed discussing the types of provisions that FOIA legislation 
should include and that might best encourage industry sharing of NS/EP information. 

Information Sharing/Critical Infrastructure Protection (IS/CIP) Task Force Report, May 2000 
A focal point of the NSTAC’s report to the President was an examination of historical lessons 
learned that would advance operational information sharing in the context of critical 
infrastructure protection. 

Benefits of Information Sharing . The NSTAC recognized that, historically, infonnation sharing 
and the resulting benefits have been a function of trust. Information exchange in a trusted 
environment, which may be achieved only gradually, helps both industry and Government 
participants build on lessons learned by others. As trust builds, participants in information¬ 
sharing forums may make more detailed information available. With such infonnation, industry 
and Government can strengthen security and prevent or mitigate the damage caused by future 
incidents or attacks. The process may also facilitate infonnation sharing across critical 
infrastructures. 

The NSTAC determined that specific benefits could accrue to both industry and Government. 
Government will be better able to detennine the type of threat facing the Nation’s critical 
infrastructures today and in the future through joint industry and Government information¬ 
sharing initiatives. By combining private sector information about the type of incidents and 
attacks that are experienced with infonnation obtained through intelligence and law enforcement 
sources, Government participants may develop warnings and advisories that can also assist other 



departments and agencies in the Federal, State, and local governments; the critical 
infrastructures; and security organizations in protecting their own systems and responding to 
incidents. 

Partnering with Government may allow industry to obtain more detailed threat infonnation. As 
Government provides the private sector with indications and warnings and information on 
specific threats facing the Nation, companies may develop a better understanding of the threats 
facing their particular infrastructure and may be willing and able to take further action to protect 
the sector. Access to Government threat-related infonnation through information-sharing 
initiatives may increase the opportunity for the private sector to determine where it will get the 
“most bang for its security buck.” 

Impediments to Infonnation Sharing . The NSTAC investigated several impediments to 
information sharing, including legal, perceived, and operational. 

Legal Impediments. Foremost among the legal impediments examined by the task force was the 
FOIA. In 1997, the President’s Commission on Critical Infrastructure Protection (PCCIP) 
recognized the need for voluntary information sharing and identified the FOIA as a barrier to the 
information-sharing process. The rationale was that FOIA makes information sharing in the 
possession of the Federal Government available to the public upon request. As a result, and as 
noted by the PCCIP, potential participants in an information-sharing mechanism may require 
assurances that their sensitive infonnation will remain confidential if shared with the Federal 
Government. More recently, Congress, at the urging of industry and Government, recognized 
that FOIA might be a barrier to voluntary information sharing in preparation for and during the 
Y2K rollover. 

On the basis of its finding that protection of voluntarily shared information must be provided, the 
NSTAC recommended to the President that the then-pending Y2K Information and Readiness 
Disclosure Act be supported. The legislation, which was enacted into law (Public Law 105-271), 
contained a provision to protect infonnation that is voluntarily shared with the Government. That 
infonnation is to be treated as part of a “special data gathering” from disclosure under FOIA. 

Both the Y2K experience and PDD-63 have raised awareness about the sensitivities of 
infonnation-sharing processes. However, in the context of PDD-63, critical infrastructures are 
being asked to share infonnation for a longer duration and under less defined conditions than 
previously experienced during Y2K. Consequently, the NSTAC concluded that for PDD-63 
infonnation-sharing initiatives to be fully implemented, protection of voluntarily shared 
infonnation from disclosure under FOIA must be provided. As a result, the NSTAC 
recommended that the President support legislation similar to the Y2K Information and 
Readiness Disclosure Act for the purposes of information sharing for critical infrastructure 
protection. 

Perceived impediments. Perceived impediments generally relate to the difference in perspectives 
between industry and Government regarding the threat to critical infrastructures. On the whole, 
industry believes it understands and is adequately mitigating the threat to its operations. At the 
same time, the Government has referred to an increased, hostile international threat to the critical 



national infrastructures. However, this threat is unclear. The NSTAC found that without a clear 
and present danger, it is difficult for industry to justify spending additional dollars to protect 
systems that may never be attacked. The NSTAC also found that an additional perceived 
impediment was the view that infonnation shared between competing companies may be used to 
gain business advantage over the company willing to share infonnation on operational 
difficulties. 

Operational Impediments. Industry shares infonnation using several channels. Providing the 
same infonnation to multiple entities places demands on corporate resources. By designating 
one forum as a repository for information related to a particular industry sector, the demands 
placed on a company for information sharing should be reduced. As an ISAC for 
telecommunications, the NCC is positioned to serve as that forum through which industry and 
Government can share telecommunications indications, assessment, and warning infonnation. 
The NCC, as a coordinating entity, could then forward infonnation, in an agreed-on fonn, to 
other appropriate bodies (e.g., other ISACs, the National Infrastructure Protection Center, and 
the Computer Emergency Response Team Coordination Center) as permitted under infonnation- 
sharing agreements. 

Legislative and Regulatory Group (LRG) Report, June 1999 

Following NSTAC XXI and in response to infonnation-sharing policy outlined in PDD-63, the 
NSTAC set out to identify and assess legal and regulatory obstacles to sharing outage and 
intrusion infonnation. To that end, the NSTAC determined that identification and discussion of 
existing and proposed NS/EP-related outage and intrusion infonnation-sharing mechanisms 
could provide additional insights in assessing critical infrastructure protection issues. To better 
understand the information-sharing environment and the entities involved in the process, the 
NSTAC developed a document (titled Telecommunications Outage and Intrusion Information 
Sharing Report and included in the LRG’s 1999 report to the President) illustrating the entities 
with which telecommunications companies shared outage and intrusion infonnation. 

The LRG also reviewed potential legal barriers that could inhibit the infonnation-sharing 
process. The major barriers studied by the group included those associated with FOIA, liability, 
and antitrust. The NSTAC also examined several other potential baniers initially identified by 
the PCCIP, including those associated with classified information and national security, State 
government liability disclosure, confidential information, and trade secrets and proprietary 
infonnation. 



The NSTAC drew general conclusions in the following areas: 

• Information sharing occurs in a number of forums. 

• Legal barriers may affect infonnation sharing. 

• Information sharing is mostly voluntary. 

• Voluntary infonnation sharing depends on receiving a benefit. 

• Information sharing is based on trusted relationships. 

• Information sharing may depend on the company and individual participant. 

• Information sharing is content-focused. 




RESEARCH AND DEVELOPMENT (R&D) NEEDS 


Over the years, the President’s National Security Telecommunication Advisory Committee 
(NSTAC) has investigated several R&D issues as they relate to the national security and 
emergency preparedness (NS/EP) telecommunications infrastructure. Recent issues focused on 
R&D for intrusion detection technologies and technologies that address telecommunications 
infrastructure vulnerabilities. The NSTAC has also sponsored several R&D Exchanges to 
surface issues and needs related to the security of the telecommunications infrastructure. 

Network Group, Intrusion Detection Subgroup (IDSG) Report, December 1997 
In 1997 the NSTAC conducted a study of intrusion detection technology R&D that included an 
examination of existing and planned intrusion detection technology R&D initiatives and 
provided analysis in tenns of meeting NS/EP requirements. The NSTAC determined that there 
was no overarching national technology policy that articulated a vision concerning Federal 
intrusion detection R&D. The NSTAC concluded that R&D in this area should focus on the 
network and infrastructure levels and establishing testbeds and laboratories to develop standards, 
metrics, and testing procedures. The study showed that a need existed for Federal investment in 
educating and training employees to recognize intrusion and to heighten their awareness of the 
risks electronic intrusion involves. 

NSTAC R&D Exchanges 

The first R&D Exchange, sponsored in 1991, was intended to provide a forum for industry and 
Government officials to discuss six technology areas identified by the NSTAC and to exchange 
infonnation about ongoing R&D projects. The theme for the two-part event was intrusion 
detection. The NSTAC held the second R&D Exchange in September 1996 to facilitate a 
common understanding of network security problems affecting NS/EP telecommunications, to 
identify R&D programs in progress to address those problems, and to identify future security 
technology R&D needs. Participants focused on the issue of academic excellence in infonnation 
assurance (IA). Then, in October 1998, the NSTAC co-sponsored the third R&D Exchange to 
examine collaborative approaches to security technology R&D. The participants also discussed 
the need for training more IT security professionals, creating large-scale test beds to test security 
products and solutions, and promoting the creation of IA Centers of Excellence in academia. 

NSTAC R&D Exchange Proceedings, 2000 

In September 2000, the NSTAC sponsored its fourth R&D Exchange with the 
Telecommunications and Information Security Workshop (TISW) 2000 at the University of 
Tulsa. The theme for the 2-day event was “Transparent Security in a Converged and Distributed 
Network Environment: A Dream or a Nightmare?” The purpose was to stimulate an exchange of 
ideas among representatives from industry, Government, and academia on the challenges posed 
by the convergence of the traditional public-switched network and the Internet into a Next 
Generation Network (NGN). 

The general conclusion of the R&D Exchange was that the challenges to securing networks in a 
converged and distributed environment grow more difficult. Further, those challenges require a 
greater deal of cooperation among network providers, vendors, and users. More specifically, the 
participants concluded that— 



The shortage of qualified IT professionals, particularly those with expertise in IA and/or 
computer security, remains a major impediment to strengthening the security of the NGN. 
The participants believed programs, such as the Scholarship for Services program under 
the Federal Cyber Service initiative and others designed to create financial incentives for 
students to pursue computer security disciplines at the graduate and undergraduate levels, 
need to be implemented. 

The IA Centers of Excellence program is an excellent initiative to address the growing 
demand for computer security professionals but needs to be expanded beyond the current 
14 schools. Moreover, a need exists to make infonnation about the IA Centers of 
Excellence and other IA curricula and certifications available to other schools, such as 
community colleges and technology trade schools. In addition, participants encouraged 
cyber ethics training at the K to 12 level. 

The Partnership for Critical Infrastructure Security represents an important step in 
enhancing the relationship between the private sector and the Government, but wider 
participation by academia and officials in State and local governments is needed. 

Developing a business case for security poses difficult challenges in the commercial 
sector, and there is a need to offset the high costs and high risks associated with R&D in 
security technology. Tax credits and other financial incentives might enable companies to 
minimize their risks and encourage commercial enterprises to increase the funding of 
security technology R&D. 

Given the complexity introduced to networks by convergence and the proliferation of 
network providers and vendors, best practices, standards, and protection profiles that 
ensure security must be evenly applied across the NGN. 

R&D efforts need to be enhanced to develop better testing and evaluation programs to 
reduce the vulnerabilities introduced by malicious software. Although securing the 
transmission of voice and data remains an important concern, identifying security 
vulnerabilities in the network control space is equally important. 

New types of threats, such as distributed denial-of-service attacks, challenge corporations 
to develop security policies to protect themselves from liability claims. For example, 
new legal precedents, case law, and Federal legislation, such as the Health Insurance 
Portability and Accountability Act of 1996, are forcing organizations to take new security 
measures to protect the confidentiality and integrity of information or risk civil litigation. 

Although technology remains an important component in building security solutions, it is 
vital to conduct research activities in other areas such as operations, legal and public 
policy, and human factors. The efficacy of technological solutions often depends on the 
ability of human operators to properly implement, administer, and manage the technology 
consistent with company policy and the legal constraints. 



There is a need to sponsor joint events like TISW 2000 and the R&D Exchange that 
facilitate a dialogue among representatives from industry, Government, and academia. 
All three communities play a crucial role in the R&D of security technologies and 
applications, and participants described how holding events at universities with IA 
programs offered unique benefits. Most notably, such events allow security practitioners 
from industry, Government, and academia to share views and opinions on R&D issues in 
an infonnal, research-oriented setting. 



INTERNATIONAL CONSIDERATIONS 


In the early 1990s, the Government recognized the growing importance and criticality of the 
information infrastructure. With the release of An Agenda for Action, the Administration 
promoted a national strategy to develop a robust, accessible, and reliable infonnation 
infrastructure that would satisfy the national and economic security interests of the United States. 
Since that time, growing competition and technological innovation have resulted in a national 
and global, interconnected, open-infonnation infrastructure that offers commercial efficiencies 
and societal benefits. 

Soon after the release of An Agenda for Action, the Government focused on the ongoing 
development and expansion of the global infonnation infrastructure (GII). Although the 
expansion of the GII and the globalization of communications and IT generate obvious economic 
and societal benefits, they pose new risks for critical infrastructures and services. Mitigating 
these risks is necessary for protecting our Nation’s and our allies’ critical infrastructures. The 
President’s National Security Telecommunications Advisory Committee (NSTAC) has studied 
the current and future nature of the GII and investigated the impact of the GII on national 
security and emergency preparedness (NS/EP) communications. Although international 
considerations were not a part of Version 1 of the National Plan, NSTAC would like to include a 
discussion of them to help further the dialogue between industry and Government concerning 
critical infrastructure protection issues. 

Globalization Task Force (GTF) Report, May 2000 

The NSTAC studied several international issues in its May 2000 report to the President. These 
included NS/EP issues related to the GII in 2010, foreign ownership of NS/EP critical 
communications systems, and technology export policies. 

The NSTAC concluded that in 2010, NS/EP communications would be facilitated by a GII 
featuring new technologies and improved network features. The GII in 2010 would also provide 
increased global availability of broadband communications, with satellite communications and 
wireless technologies bringing the GII and NS/EP communications to less accessible geographic 
regions. However, despite the plethora of technological capabilities forecasted for 2010, there is 
no guarantee that all essential communications capabilities will be ubiquitously available. Given 
the global reach and communications needs of some U.S. NS/EP missions, prudent NS/EP 
communications contingency planning should consider end-to-end systems using a broad range 
of wireless, satellite, and terrestrial capabilities. 

The NSTAC also concluded that, in addition to planning for the global availability of the GII in 
2010, the Government must consider the richness of service envisioned in the future network 
architecture and decide whether NS/EP communications will require QoS features beyond 
commercially available capabilities. Any, and perhaps all, of the potential protocols of 2010 
could be considered candidates for hosting NS/EP requirements. Thus, the Government must 
continue being proactive in its attempts to cooperate in developing industry standards and 
technical specifications for next-generation and IP-based networks. 



The NSTAC also examined the implications of foreign ownership of critical U.S. 
telecommunications facilities on NS/EP services. The NSTAC developed a scoping paper on the 
issue and concluded that the current regulatory structure effectively accommodated increasing 
levels of foreign ownership of U.S. telecommunications facilities, while allowing the Federal 
Government to retain the authority to prevent any such foreign ownership that might 
compromise national security interests. 

In addition, the NSTAC examined technology export policies dealing with the transfer of strong 
encryption products, satellite technology, and high-perfonnance computers. The NSTAC 
compiled basic infonnation about key technology export issue areas and monitored the 
implementation of new export policies and regulations. The NSTAC also investigated the 
development of guidelines to assist companies in understanding Government approval of 
technology sales. The NSTAC concluded that because technology progresses faster than policy, 
industry and Government should continue to reevaluate the limits placed on the export of 
technologies. 



ATTACHMENT A 
NCC-ISAC 


(Excerpted from the NSTAC’s IS/CIP Task Force Report, May 2000, Appendix D) 

NSTAC Recommended Input to the National Plan 

The following text is recommended for inclusion in subsequent versions of the National Plan. 
The text addresses the designation and implementation of the National Coordinating Center for 
Telecommunications as an Information Sharing and Analysis Center for telecommunications. 


National Coordinating Center for Telecommunications 

In response to a National Security Telecommunications Advisory Committee (NSTAC) 
recommendation, the National Coordinating Center for Telecommunications (NCC) was 
established and began operations on January 1, 1984, as a joint industry/Govemment National 
Coordinating Center capable of assisting in the initiation, coordination, restoration, and 
reconstitution of national security and emergency preparedness (NS/EP) telecommunications 
services and facilities under all conditions of crisis or emergency. Subsequent to beginning 
operations, the NCC was fonnalized on April 3, 1984, when President Reagan signed Executive 
Order 12472, Assignment of NS/EP Telecommunications Functions. 

This joint industry/Government center facilitates infonnation sharing between industry and 
Government through the following functions as identified in the industry/Government approved 
Charter: 

• promptly provide technical analysis and damage assessment of service disruptions and 
identify necessary restoration actions, 

• coordinate/direct prompt restoration of telecommunications services in support of NS/EP 
needs, 

• develop and exercise comprehensive service restoration plans, 

• develop watch center type functions to work through cooperating industry operation centers 
to effectively monitor the status of essential telecommunications facilities, 

• maintain access to an accurate inventory of the minimum essential equipment, personnel, 
and other resources that are available for restoration operations, including the location and 
capabilities of all industry’s network operations centers, 

• identify liaison points in each company, 




• maintain ability to rapidly transfer operations from normal to emergency operations, 

• coordinate/direct and expedite the initiation of NS/EP telecommunications services, 

• contribute to the development of technical standards and national network planning and 
ensure application of those standards and dissemination of those plans to facilities serving 
NS/EP needs, and 

• coordinate/direct network reconfiguration plans in support of NS/EP needs. 

The NCC’s role in fulfilling its charter functions began to evolve in the changing environment 
following the end of the Cold War and as the Administration determined that national security 
includes economic security. In 1996, the NCC began to develop an indications, assessment, and 
warning (IAW) capability. The NSTAC concluded that the IAW capability was within the scope 
of the NCC Charter, and in 1998 directed the NCC conduct an IAW pilot project. Lessons 
learned from the pilot project were incorporated into the NCC’s ongoing operations. 

Following the issuance of Presidential Decision Directive (PDD) 63, Protecting America’s 
Critical Infrastructures, in May 1998, the NSTAC concluded that the NCC performs the primary 
functions of an Information Sharing and Analysis Center (IS AC) in the context of PDD-63. The 
National Coordinator for Security, Infrastructure Protection, and Counter-Terrorism agreed in a 
memorandum dated January 18, 2000. 

The NCC is unique as an ISAC. It is a joint industry/Govemment organization located in the 
Office of the Manager, National Communications System and staffed by both industry and 
Government. Information sharing between industry and Government has been taking place in a 
trusted environment over the past 16 years in the NCC. A phased implementation plan, 
developed by both industry and Government, will address expanded participation, NCC 
activities, and external coordination to achieve full operating capability. 



APPENDIX C 

SHARING INFORMATION ON INCIDENTS REPORTED TO 

LAW ENFORCEMENT 



SHARING INFORMATION ON INCIDENTS REPORTED TO LAW 

ENFORCEMENT 

At the May 2000 meeting of the President’s National Security Telecommunications Advisory 
Committee (NSTAC XXIII), the NSTAC Principals discussed with senior Government officials 
how to improve the sharing of infonnation between Government and industry regarding 
electronic intrusions into network systems and databases. One issue discussed with 
Mr. Michael Vatis, Director of the National Infrastructure Protection Center (NIPC), was 
whether victims of such crimes were prohibited by law enforcement from reporting the 
intrusions to Infonnation Sharing and Analysis Centers (ISAC) or similar information sharing 
forums. Because the Principals and the Director, NIPC, had different views on this issue, 

Mr. Van Honeycutt, NSTAC Chair, suggested that NSTAC document its concern. 

INDUSTRY’S EXPERIENCE 

Throughout the 10-year history of the Government and NSTAC Network Security Infonnation 
Exchanges (NSIE), NSTAC NSIE representatives have noted that they could not discuss 
intrusions into their networks and systems with anyone else after reporting them to law 
enforcement because case agents told them that doing so might compromise their cases. 

Because the companies and individuals wanted to cooperate with law enforcement, and did not 
want to risk jeopardizing their cases, they have honored these requests. This restriction has 
hindered information sharing within the NSIE and, more recently, threatens to have the same 
effect on industry’s participation in ISACs. 

THE LAW 

Ms. Martha Stansell-Gamm, Chief, Computer Crime and Intellectual Property Section, 
Department of Justice (DOJ), confirmed that there are no laws or policies prohibiting victims 
from discussing crimes against them even after they have reported them to law enforcement. 
Victims can share their own experiences with the incidents with anyone; this information 
includes any testimony victims provide to a grand jury. The law clearly places no restrictions on 
victims discussing intrusions within the NSIEs or sharing such information with an ISAC. As a 
practical matter, however, Ms. Stansell-Gamm noted that discussing a pending case too broadly 
can jeopardize its successful prosecution. The key is to discipline the dissemination of 
infonnation. Some examples include sharing appropriate infonnation in appropriately protected 
forums, such as the NSIEs or an ISAC, or using other mechanisms that meet information-sharing 
needs and that also protect sensitive infonnation. 

CONCLUSION 

Current law technically allows victims to share information on cases they have reported to law 
enforcement. However, industry’s experience indicates that common practice discourages 
victims from sharing such infonnation with anyone. This reflects a lack of understanding on the 
part of victims, case agents, and prosecutors on the benefit of sharing some infonnation with 
some people to prevent further crimes. 



Ms. Stansell-Gamm acknowledged that the section’s and the NIPC’s policy to encourage this 
disciplined information sharing may not be reflected in common practices within the law 
enforcement community. In response to industry’s concern, Ms. Stansell-Gamm offered to— 

• Work with other components of DOJ and the Federal Bureau of Investigation to develop 
policies that encourage victims to share infonnation on electronic crimes in protected 
forums, or using other appropriate means, to strengthen network security 

• Ensure that Federal law enforcement personnel understand and implement those policies 

• Educate victims on those policies 

• Encourage other law enforcement agencies (State and local as well as international) to 
take these same actions. 

As noted, victims mistakenly assume that they are legally prohibited from sharing infonnation 
after reporting a case to law enforcement. The private sector must ensure that its personnel who 
interact with law enforcement on such cases are aware that they not only are allowed but also are 
encouraged to share this information through appropriate mechanisms for network security 
purposes. The NSIEs and the ISACs are examples of such mechanisms. The NSIEs have put 
procedures in place to protect the sensitive details and have a 10-year record of sharing, acting 
on, and successfully protecting sensitive information. 

Ms. Stansell-Gamm suggested that the NSIEs could assist in building law enforcement’s 
confidence that information shared for network security will be properly disciplined. She asked 
the NSIEs to clarify their procedures for sharing and protecting information and to assist her in 
communicating them to law enforcement. 

NSTAC’s NEXT STEPS 

On the basis of Ms. Stansell-Gamm’s response to industry’s concerns, the Government and 
NSTAC NSIEs believe that no further NSTAC action is necessary. The Government and 
NSTAC NSIE will document their procedures for sharing and protecting information and will 
continue to work with DOJ to communicate these procedures to the law enforcement community. 



